Drone-maker DJI's Go app contains naughty Javascript hot-patching framework

Apple has already smote JSPatch once this year

Updated Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple's App Store terms and conditions, according to drone hacker sources.

The patching framework in question, JSPatch, appears to be baked into the iOS version of Go. Earlier this year Apple ejected a handful of JSPatch-using apps from the App Store.

China Daily said at the time that over 45,000 apps had been booted due to "hot-patching" concerns.

JSPatch, along with similar hot-patching frameworks such as Rollout.io, fell foul of Apple because it allows substantial changes to be made to apps without triggering a review from Apple. Such reviews are mandatory for all new apps and updates to existing apps.

Anything that gets around review processes, regardless of motivation, raises questions about security. A year ago El Reg warned that JSPatch "had inadvertently spawned a serious security risk for iOS app users".

A similar framework called Tinker is baked into the Android version of DJI Go, according to sources familiar with the two apps. Both Tinker and JSPatch allow silent updates which could use existing permissions in new ways not previously disclosed to the user.

The support person for DJI in the US commented in another thread about JSPatch that they "have been told both Android and iOS will have this functionality removed in the next release".

We have asked Apple for comment and will update if and when we hear back.

Earlier this month the US Army ordered all of its formations to stop using DJI products, including drones and apps, citing unspecified "cyber vulnerabilities".

It is not difficult to draw a line between the remote update facilities uncovered by users cracking into DJI's software and the US Army's decision, though at the time the American military declined to reveal further details and DJI's public position was that it had no idea what upset the Pentagon.

DJI representatives did not respond to our request to explain the JSPatch/Tinker situation, having said only that they needed to talk to the company's "overseas technical team" first. DJI is a Chinese firm, though it has extensive consumer-facing operations in the West.

However, the company did announce it is launching a "local data mode" that "stops internet traffic to and from its flight control apps". This, DJI said in a statement, "will stop [apps] sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights."

Local data mode appears to be similar to enabling flight mode on a mobile phone: the firm says its use will block all updates to maps, geofencing information, new flight restrictions and other software updates.

This is a clear response to the US Army ban on all DJI equipment, presumably in the hope that stopping the drones and their associated apps phoning home to China (pictures and videos can be synced with DJI's Flickr-style drone photo-sharing website) will soothe the US military's concerns.

We have asked the US Army if it will restart use of DJI products following this announcement and will update this article if we hear back from them.

British police forces are making increasing use of drones as cheap alternatives to full-blown helicopters. The Devon and Cornwall, Dorset, and Norfolk forces have all used DJI products in trials, with D&C deciding to build its drone unit around DJI Inspire 1 quadcopters. That these aircraft rely on apps which could have been silently tweaked to allow a third party access to live surveillance data gathered by police is undesirable, to say the least. ®


DJI corp comms director Adam Lisberg got in touch with us after publication to say: "DJI will release new versions of the DJI GO apps by the end of August with the code in question removed."

Similar topics

Narrower topics

Other stories you might like

  • DARPA wants to refuel drones in flight – wirelessly
    Boffin agency seeks help to shoot 100kW through the air with lasers, but contributors don't have long to deliver

    US military researchers are trying to turn in-flight refueling tankers into laser-shooting "airborne energy wells" for charging drones, and they want the public's help to figure out how.

    The Defense Advanced Research Projects Agency (DARPA) published a request for information (RFI) from anyone willing and able to contribute their tech, with a few caveats. It needs to fit on existing in-flight refueling tankers (the newer KC-46 and Cold War-era KC-135, specifically) and be able to deliver 100kW of power.

    Militaries around the world have been using in-flight refueling for decades to extend aircraft patrols and long-range missions. With a history of development stretching back to the 1920s, the practice has since developed into a standard part of operating an air fleet powered by aviation fuel.

    Continue reading
  • Drone ship carrying yet more drones launches in China
    Zhuhai Cloud will carry 50 flying and diving machines it can control with minimal human assistance

    Chinese academics have christened an ocean research vessel that has a twist: it will sail the seas with a complement of aerial and ocean-going drones and no human crew.

    The Zhu Hai Yun, or Zhuhai Cloud, launched in Guangzhou after a year of construction. The 290-foot-long mothership can hit a top speed of 18 knots (about 20 miles per hour) and will carry 50 flying, surface, and submersible drones that launch and self-recover autonomously. 

    According to this blurb from the shipbuilder behind its construction, the Cloud will also be equipped with a variety of additional observational instruments "which can be deployed in batches in the target sea area, and carry out task-oriented adaptive networking to achieve three-dimensional view of specific targets." Most of the ship is an open deck where flying drones can land and be stored. The ship is also equipped with launch and recovery equipment for its aquatic craft. 

    Continue reading
  • Chinese drone-maker DJI suspends ops in Russia, Ukraine
    First Middle Kingdom company to take a stance says it doesn't want anyone weaponizing its flying machines

    In a first for a major Chinese tech company, drone-maker DJI Technologies announced on Tuesday that it will temporarily suspend business in both Russia and Ukraine.

    "DJI is internally reassessing compliance requirements in various jurisdictions. Pending the current review, DJI will temporarily suspend all business activities in Russia and Ukraine. We are engaging with customers, partners and other stakeholders regarding the temporary suspension of business operations in the affected territories," declared DJI in a canned statement.

    Last week the company issued another statement clarifying that it did not market or sell its products for military use and "unequivocally opposed attempts to attach weapons to [its] products." DJI also said it "refused to customize or enable modifications that would enable [its] products for military use."

    Continue reading

Biting the hand that feeds IT © 1998–2022