Recently two different security firms were hired to reverse-engineer and analyze DJI drone software available for use on Android devices. DJI is one of the largest drone manufacturers in the world and is based in China. What the analysts found were features hidden in the software that send a bunch of technical information back to Chinese servers, most of it information that has no connection to flying drones. As Ars Technica reports, the worse case scenario here is that the app is spying on users:

Two weeks ago, security firm Synacktiv reverse-engineered the app. On Thursday, fellow security firm Grimm published the results of its own independent analysis. At a minimum, both found that the app skirted Google terms and that, until recently, the app covertly collected a wide array of sensitive user data and sent it to servers located in mainland China. A worst-case scenario is that developers are abusing hard-to-identify features to spy on users.

According to the reports, the suspicious behaviors include:

• The ability to download and install any application of the developers’ choice through either a self-update feature or a dedicated installer in a software development kit provided by China-based social media platform Weibo. Both features could download code outside of Play, in violation of Google’s terms.
• A recently removed component that collected a wealth of phone data including IMEI, IMSI, carrier name, SIM serial Number, SD card information, OS language, kernel version, screen size and brightness, wireless network name, address and MAC, and Bluetooth addresses. These details and more were sent to MobTech, maker of a software developer kit used until the most recent release of the app.
• Automatic restarts whenever a user swiped the app to close it. The restarts cause the app to run in the background and continue to make network requests.
• Advanced obfuscation techniques that make third-party analysis of the app time-consuming.

A lot of the phone data the app was collecting is Greek to me but here’s what security firm Synacktiv said about the IMSI data:

The MobTech component embedded in recent versions of DJI Android GO 4 application collects personal data such as IMSI, IMEI, the serial number of the SIM card, etc. This data is not relevant or necessary for drone flights and go beyond DJI privacy policy 8. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.

I can’t think of any innocent reasons why DJI would be collecting this data but I can think of a very clear reason why the Chinese government might order them to do it. Grimm research was hired to validate the findings by Synacktiv and wrote this about the possible worst case scenario:

In the worst case, these features can be used to target specific users with malicious updates or applications that could be used to exploit the user’s phone. Given the amount of user’s information retrieved from their device, DJI or Weibo would easily be able to identify specific targets of interest. The next step in exploiting these targets would be to suggest a new application (via the Weibo SDK) or update the DJI application with a customized version built specifically to exploit their device. Once their device has been exploited, it could be used to gather additional information from the phone, track the user via the phone’s various sensors, or be used as a springboard to attack other devices on the phone’s WiFi network. This targeting system would allow an attacker to be much stealthier with their exploitation, rather than much noisier techniques, such as exploiting all devices visiting a website.

DJI has published a lengthy response to these findings which attempts to explain the reason for these features. Some of their explanations sound reasonable to me but a couple of them are a bit shaky. For instance, why does the software automatically restart itself when it is shut down by the user. Here’s DJI’s response:

DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far.

For comparison, here’s what Grimm said about that:

As described in the Synacktiv’s report, when a user attempts to close the app, it restarts itself in the background. As such, the app can only be killed through the Android “Force Stop” option, as it will be restarted if closed via the normal Android swipe close gesture. While the app is in the background, it accesses the device’s location. It is unknown what is done with the location the device collects.

And what does DJI have to say about the collection of all that personal phone data like IMSI:

The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after earlier researchers identified potential security flaws in them. Again, there is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers.

It’s true those components were recently removed but that’s not much consolation for the million-plus users who installed the earlier versions. Also, calling the intentional collection of this data a “potential security flaw” seems to downplay it quite a bit. The data was being collected.

Also, what does it matter that this data collection only happened on the company’s consumer products. China is well known to be interested in collecting data on ordinary Americans. It was behind the Equifax hack in 2017 and the OPM hack in 2015. So saying the app was only collecting data on consumers means nothing. China has been doing this for years.

Ars Technica notes that the US Army banned the use of DJI drones in 2017.