HedgeTrimmer
First Officer
United States
Offline
|
DJI Android GO 4 application security analysis
{Snippet}
We found that :
- Despite being under scrutiny, DJI did not improve the transparency surrounding the potential abuse of its Android mobile application: DJI GO 4 application makes use of the similar anti-analysis techniques as malware, such as anti-debug, obfuscation, packing and dynamic encryption.
- After de-obfuscation, our research located two features of the software that call home and wait for a file that orders the user’s phone to install a forced update or install a new software. This mechanism is very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI GO 4 5 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery 6 or in-app updates 7. Google is not able then to do any verification on update and modifications pushed by DJI. According to Google Play, the application has been installed on more than a million personal devices, suggesting any security risks are widespread.
- The MobTech component embedded in recent versions of DJI Android GO 4 application collects personal data such as IMSI, IMEI, the serial number of the SIM card, etc. This data is not relevant or necessary for drone flights and go beyond DJI privacy policy 8. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.
- The DJI GO 4 application on the Android platform does not close when the user closes the app with a swipe right. The app continues to run in the background and makes network requests.
- Whereas our findings affect the Android version of DJI GO 4, the iOS version of the application is not obfuscated and doesn’t have the hidden update mechanisms.
Follow Up from GRIMM
DJI Privacy Analysis Validation
To provide an independent review of the findings, the vendor asked GRIMM to validate Synacktiv’s findings. This blog describes GRIMM’s setup and workflow for validating the Synacktiv’s research. Using the techniques described in the following sections to perform static and dynamic analysis on the DJI GO 4 Android application, GRIMM was able to verify and confirm the findings from Synacktiv’s report.
{Snippets}
Findings Validation Once GRIMM was able to statically analyze the application’s decrypted and decompiled source code and intercept and analyze the application’s network requests, we proceeded to validate Synacktiv’s findings.
Self-Update Mechanism Synacktiv’s report describes the DJI GO 4’s custom update mechanism. This update service does not use the Google Play Store and thus, is not subject to the review process. As such, there is no guarantee that the application that is downloaded for one user matches that of another user. If DJI's update server is malicious, or compromised by an attacker, it could use this mechanism to target individual users with malicious application updates. One thing to note, this behavior is a violation of Google’s Developer Program Policies, which states:
Mob SDK Data Collection In Synacktiv’s report, the researchers detail their analysis of the data collection capabilities within the MobTech SDK framework. The researchers assert that the MobTech SDK framework is used to collect a substantial amount of user data and transmit it back to MobTech. GRIMM’s researchers were able to confirm the use of Mob SDK for data collection in previous versions of DJI GO 4 through both static and dynamic analysis.
App reloads in background As described in the Synacktiv’s report, when a user attempts to close the app, it restarts itself in the background. As such, the app can only be killed through the Android "Force Stop" option, as it will be restarted if closed via the normal Android swipe close gesture. While the app is in the background, it accesses the device's location. It is unknown what is done with the location the device collects. It appears from the logcat messages (shown below) that the restarted process uses the MapBox Telemetry service, which requires a setting to opt out of location telemetry. The app does provide a switch to opt-out of "Coarse Location", however when the switch is turned off, a message pops up (shown below) and prevents the user from turning off this setting, and thus it is impossible to disable. The popup does not specifically mention MapBox.
|
|