Drone-maker DJI's Go app contains naughty Javascript hot-patching framework

Apple has already smote JSPatch once this year

Updated Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple's App Store terms and conditions, according to drone hacker sources.

The patching framework in question, JSPatch, appears to be baked into the iOS version of Go. Earlier this year Apple ejected a handful of JSPatch-using apps from the App Store.

China Daily said at the time that over 45,000 apps had been booted due to "hot-patching" concerns.

JSPatch, along with similar hot-patching frameworks such as Rollout.io, fell foul of Apple because it allows substantial changes to be made to apps without triggering a review from Apple. Such reviews are mandatory for all new apps and updates to existing apps.

Anything that gets around review processes, regardless of motivation, raises questions about security. A year ago El Reg warned that JSPatch "had inadvertently spawned a serious security risk for iOS app users".

A similar framework called Tinker is baked into the Android version of DJI Go, according to sources familiar with the two apps. Both Tinker and JSPatch allow silent updates which could use existing permissions in new ways not previously disclosed to the user.

The support person for DJI in the US commented in another thread about JSPatch that they "have been told both Android and iOS will have this functionality removed in the next release".

We have asked Apple for comment and will update if and when we hear back.

Earlier this month the US Army ordered all of its formations to stop using DJI products, including drones and apps, citing unspecified "cyber vulnerabilities".

It is not difficult to draw a line between the remote update facilities uncovered by users cracking into DJI's software and the US Army's decision, though at the time the American military declined to reveal further details and DJI's public position was that it had no idea what upset the Pentagon.

DJI representatives did not respond to our request to explain the JSPatch/Tinker situation, having said only that they needed to talk to the company's "overseas technical team" first. DJI is a Chinese firm, though it has extensive consumer-facing operations in the West.

However, the company did announce it is launching a "local data mode" that "stops internet traffic to and from its flight control apps". This, DJI said in a statement, "will stop [apps] sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights."

Local data mode appears to be similar to enabling flight mode on a mobile phone: the firm says its use will block all updates to maps, geofencing information, new flight restrictions and other software updates.

This is a clear response to the US Army ban on all DJI equipment, presumably in the hope that stopping the drones and their associated apps phoning home to China (pictures and videos can be synced with DJI's Flickr-style drone photo-sharing website) will soothe the US military's concerns.

We have asked the US Army if it will restart use of DJI products following this announcement and will update this article if we hear back from them.

British police forces are making increasing use of drones as cheap alternatives to full-blown helicopters. The Devon and Cornwall, Dorset, and Norfolk forces have all used DJI products in trials, with D&C deciding to build its drone unit around DJI Inspire 1 quadcopters. That these aircraft rely on apps which could have been silently tweaked to allow a third party access to live surveillance data gathered by police is undesirable, to say the least. ®

Update

DJI corp comms director Adam Lisberg got in touch with us after publication to say: "DJI will release new versions of the DJI GO apps by the end of August with the code in question removed."


Biting the hand that feeds IT © 1998–2017