August 28, 2017

DJI Offers Up to $30,000 for Identifying Security Threats in its Code

DJI Inspire Pro
The latest DJI update removes plugins that may have been collecting user data without the company's knowledge.

In a move to increase the security of its DJI Go and DJI Go 4 apps, DJI has removed a plugin from the apps called JPush after the company discovered the plugin had been collecting users' data without its knowledge.

The plugin was designed to facilitate delivery of push notifications on Android devices once users' videos had uploaded to Skypixel (a DJI-branded photo/video sharing platform). The plugin, which needed only minimal user data to perform its function, was found to be collecting personal user information and a list of the apps installed on the users' Android devices. 

DJI has instituted a bounty system for developers who are able to identify exploits within the code. 

In addition to revoking JPush's access, DJI also removed other plugins, including "jsPatch" (iOS) and "tinker" (Android)  that facilitated "hot patching" (a system for allowing DJI to update parts of its app on users' devices without their knowledge and without requiring a full app update). In addition to the removal of these three plugins, DJI has also instituted a bounty system for developers that could net up them up to $30,000 if they are able to identify exploits within the code. 

Prior to its removal of the JPush plugin, DJI also introduced a "local mode" that prevents its drones from transmitting any user data from the drones to DJI servers.      

Your Comment

3 Comments

If they were serious about wanting to uncover security threats they would be offering 10X this amount of money. As a coder, I am not going to spend countless hours to find vulnerabilities unless it is worth my while.

August 28, 2017 at 8:31PM

37
Reply
avatar
Walter Wallace
YouTuber
1562

DJI should rather spend money on:
- signed/certified USB drivers for their Windows tools (instead of letting users disable hidden security settings)
- modern Windows tools instead of this embarrassing 1990 style
- executability of Android apps (some smartphones have issues though Blutooth standard is given)

August 29, 2017 at 3:09AM, Edited August 29, 3:10AM

0
Reply
avatar
JeffreyWalther
Steadicam Operator/Owner
2247

Gosh... Drones are becoming a mess... :)
Lol.

August 29, 2017 at 3:46AM

0
Reply
avatar
Sameir Ali
Director of Photography
1080