An Android application that controls a drone manufactured by China-based Da Jiang Innovations (DJI) contains a self-update feature that bypasses the Google Play Store, thus creating the ability for the app to transmit sensitive personal information to DJI’s servers or possibly the Chinese government.

The DJI GO 4 Android app has been designed for use on drones that have a broad range of applications, from military and law enforcement to use by photographers and various hobbyists. DJI’s drones have become so controversial that both the DOD and U.S. Interior Department have stopped using them with DOD issuing an outright ban.

French researchers at Synacktiv confirmed their findings with GRIMM security research group, according to GRIMM CEO Brian DeMuth. The two companies both released blogs on the findings, first reported by the New York Times.

“While we can’t prove intent, what we can say is that it could allow [either DJI or the Chinese government] to make very serious privacy violations,” DeMuth said. “We don’t feel that the users are fully aware of what the app is supposed to do. And we don’t think the users have any idea of the extent of data collection going on.”

Tiphaine Romand-Latapie, reverse engineering team lead for Synacktiv, said the research was confined to the Android application. She said the flaw they found in the Android app does not apply to iOS apps, noting that the Apple ecosystem is more stringent and proprietary would most likely inhibit that kind of manipulation.  

Synacktiv’s report fully describes the DJI GO 4’s custom update mechanism in elaborate technical detail. According to the report, the update service does not use the Google Play Store and thus, is not subject to Google’s review process. So there’s no guarantee that the application that gets downloaded for one user matches that of another user. If DJI’s update server is malicious or becomes compromised, it could use this mechanism to target individual users with malicious application updates.

“This behavior is a violation of Google’s Developer Program Policies,” Romand-Latapie said. “We don’t know if it was malice, or if it was ignorance, but we do feel that DJI was taking advantage so that it could run updates out-of-band from the Google Play Store.

From a user perspective, here’s how it works: Independently from the Google Play Store, the DJI 4 GO application prompts the user with an update notification. Once the user clicks on the update notification, they are asked to install the update. And in the most sinister aspect of this, in installing the update, the user gets asked to give the DJI Go 4 application the “Install Unknown Apps” permission – a clear violation of Google’s developer policies and a completely insecure way to run an update. 

“The application also restarts itself when closed via the Android swipe closed gesture,” explained DeMuth. “So users may be tricked into thinking the application is closed, but it could be running in the background while sending telemetry requests.”

According to Synacktiv’s blog, given the wide permissions required by DJI GO 4, including access contacts, microphone, camera, location, storage and change network connectivity, DJI’s servers potentially have full control over the user’s phone. They also would have full physical control of the drone. This way of updating an Android App or pushing a new app completely circumvents Google’s update processes. This means Google can’t do any verification on update and modifications pushed by DJI.

Google has indicated that the DJI GO 4 application has been installed on more than 1 million personal devices worldwide, which suggests that security risks are widespread.

GRIMM’s DeMuth said he expects that DJI will fix the update issue within the next 24 hours. He said they did so earlier this year when River Loop Security found a flaw in a different DJI app.

In a lengthy blog post today, DJI disputes the researchers claims and said both the U.S. Homeland Security Department and Booz Allen have found no unexpected data transmission connections from DJI’s apps designed for government and professional customers.

Kristina Balaam, senior security intelligence engineer at mobile security company Lookout, said whenever an official mobile app store gets circumvented to install an application, the integrity of the user’s device and personal data are at risk.  “Regardless of how legitimate the developer may be, there’s always the risk that their infrastructure might be compromised and you could receive a download from a malicious source,” Balaam said. “From an engineering perspective, sending an application directly to the user’s device, rather than distributing it through Google Play violates best practices for application security. It removes the app-vetting line of defense that accompanies distribution through a mobile app store and could potentially leave your customers vulnerable to attack if your organization ever suffered a security breach.”