DJI Strengthens Software Security in Flight Control Applications
Key Takeaways
- DJI has released substantial updates to its DJI GO and DJI GO 4 apps to enhance software security.
- Third-party plugins that were found to compromise user privacy have been removed from the applications.
- The company is introducing a rigorous code review and testing process for future updates and plugins.
- New initiatives include an internal educational program for developers and a bug bounty program for external researchers.
August 28, 2017 – Software Security Enhancements
In a decisive move towards enhancing user security, DJI has announced significant updates for its DJI GO and DJI GO 4 mobile applications. These updates, now available for both Android and iOS users, aim to address key concerns regarding how data is handled within the apps during online transactions.
Addressing Security Concerns
Many of the functionalities within the DJI GO and DJI GO 4 applications rely on third-party plugins, pivotal for features like livestreaming, image sharing, and transactions in the DJI Store. However, after thorough evaluations, DJI made the proactive decision to remove certain plugins that did not meet their stringent security criteria.
One prominent plugin, JPush, which had been implemented as an effective means for sending push notifications to users when their videos were successfully uploaded to DJI’s SkyPixel platform, has been excised. Originally introduced in March 2016 for iOS, and with Android support following in May 2017, the plugin assigned a unique JPush ID for each user. This ID was utilized for efficient communication regarding video uploads. Yet, recent investigations by DJI’s security team uncovered that JPush was also transmitting additional data, including details about the apps installed on users’ Android devices. This unconsented collection and transmission of data prompted DJI to act, and the company confirmed that no proprietary data from users was ever accessed.
An Emphasis on Privacy
To bolster user privacy further, DJI also removed “hot-patching” technologies, jsPatch for iOS and Tinker for Android. These plugins had allowed for quick updates directly within the apps to address flight security issues and bugs as they arose. However, with the aim of ensuring comprehensive testing on all updates, DJI has chosen to eliminate these functionalities.
Ongoing Commitment to Security
DJI remains dedicated to its mission of providing secure and streamlined applications. The company is actively reviewing all existing third-party plugins and services integrated into the DJI GO and DJI GO 4 applications, while also committing to thorough assessments of any new plugins before incorporation. Current integrations such as YouTube and Facebook for livestreaming, and payment platforms like Alipay and Taobao, are under continued scrutiny to ensure they align with DJI’s security practices.
In addition to these removals, DJI has rolled out an internal educational program aimed at developers, reinforcing the importance of security in software development. The new initiatives include an intensified code review process and a bug bounty program, inviting external researchers to contribute to the improvement of DJI’s offerings and increasing awareness around potential security flaws.
Keeping User Experience First
DJI emphasizes that its primary objective is to deliver an exceptional user experience. Acknowledging concerns surrounding user data, the company clarifies that it does not monetize this data for profit. Instead, information is gathered strictly for troubleshooting, enhancing customer service, and ensuring app updates yield accurate localized flight information.
For users keen to benefit from these security updates, DJI GO 4 versions have been upgraded to 4.1.7 for iOS and 4.1.5.3 for Android, while the standard DJI GO versions have been updated to 3.1.15 for iOS and 3.1.11 for Android. The company urges all users to download the latest versions from their respective app stores.
