Chinese-made drone app in Google Play spooks security researchers

by
Dan Goodin
from Ars Technica - All content on (#563T3)
dji-drone-800x534.jpg

Enlarge / A DJI Phantom 4 quadcopter drone. (credit: Andri Koolme)

The Android version of DJI Go 4-an app that lets users control drones-has until recently been covertly collecting sensitive user data and can download and execute code of the developers' choice, researchers said in two reports that question the security and trustworthiness of a program with more than 1 million Google Play downloads.

The app is used to control and collect near real-time video and flight data from drones made by China-based DJI, the world's biggest maker of commercial drones. The Play Store shows that it has more than 1 million downloads, but because of the way Google discloses numbers, the true number could be as high as 5 million. The app has a rating of three-and-a-half stars out of a possible total of five from more than 52,000 users.

Wide array of sensitive user data

Two weeks ago, security firm Synacktiv reverse-engineered the app. On Thursday, fellow security firm Grimm published the results of its own independent analysis. At a minimum, both found that the app skirted Google terms and that, until recently, the app covertly collected a wide array of sensitive user data and sent it to servers located in mainland China. A worst-case scenario is that developers are abusing hard-to-identify features to spy on users.

Read 15 remaining paragraphs | Comments

index?i=e5FA4Gq1FHc:lrbWHwlL15k:V_sGLiPB index?i=e5FA4Gq1FHc:lrbWHwlL15k:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments