DJI Offers Up to $30,000 for Identifying Security Threats in its Code
The latest DJI update removes plugins that may have been collecting user data without the company's knowledge.
In a move to increase the security of its DJI Go and DJI Go 4 apps, DJI has removed a plugin from the apps called JPush after the company discovered the plugin had been collecting users' data without its knowledge.
The plugin was designed to facilitate delivery of push notifications on Android devices once users' videos had uploaded to Skypixel (a DJI-branded photo/video sharing platform). The plugin, which needed only minimal user data to perform its function, was found to be collecting personal user information and a list of the apps installed on the users' Android devices.
DJI has instituted a bounty system for developers who are able to identify exploits within the code.
In addition to revoking JPush's access, DJI also removed other plugins, including "jsPatch" (iOS) and "tinker" (Android) that facilitated "hot patching" (a system for allowing DJI to update parts of its app on users' devices without their knowledge and without requiring a full app update). In addition to the removal of these three plugins, DJI has also instituted a bounty system for developers that could net up them up to $30,000 if they are able to identify exploits within the code.
Prior to its removal of the JPush plugin, DJI also introduced a "local mode" that prevents its drones from transmitting any user data from the drones to DJI servers.