Well, I guess now we know why the US Army pulled all of its DJI products from service. DJI have removed the JPush plugin from the DJI Go and DJI Go 4 apps. It turns out that it had been collecting user data without its knowledge. Not without the user’s knowledge, without DJI’s knowledge. DJI blame the third party developer who created the JPush plugin.
The Verge reports that JPush wouldn’t have needed to collect a lot of data to do its job. But DJI say the app actually collected personal information, including a list of apps installed on the user’s Android device. In addition to this update, they’ve also announced a bug bounty programme rewarding up to $30,000 for those who can find exploits in their systems.
The JPush plugin was designed to provide smooth delivery of push notifications to Android devices once videos had completed the upload to DJO’s branded photo & video sharing platform, Skypixel. But it was doing far more than that, recording and reporting back personal information.
Many balked when DJI recently announced “Local Mode” that will let you fly your drone without Internet data on your mobile device. This seems to justify those privacy concerns. It’s obviously something that DJI are taking very seriously. Whether or not this particular issue is what the US Army declared as “Cyber Vulnerabilities” three weeks ago is unclear, but it would explain the move.
DJI have also removed its “hot-patching” plugins, jsPatch for iOS and Tinker for Android. These let the DJI update elements of their drone apps without having to update the entire app.
While DJI blame the third party company who maintain the plugin for the issue, it is ultimately their responsibility. They really should check the systems they distribute through their own platform. But, it is nice to see them taking things seriously enough to offer a bounty for those that can identify security issues and exploits within their system.
[via The Verge]