Drone-maker DJI's Go app contains naughty Javascript hot-patching framework

Apple has already smote JSPatch once this year

Updated Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple's App Store terms and conditions, according to drone hacker sources.

The patching framework in question, JSPatch, appears to be baked into the iOS version of Go. Earlier this year Apple ejected a handful of JSPatch-using apps from the App Store.

China Daily said at the time that over 45,000 apps had been booted due to "hot-patching" concerns.

JSPatch, along with similar hot-patching frameworks such as Rollout.io, fell foul of Apple because it allows substantial changes to be made to apps without triggering a review from Apple. Such reviews are mandatory for all new apps and updates to existing apps.

Anything that gets around review processes, regardless of motivation, raises questions about security. A year ago El Reg warned that JSPatch "had inadvertently spawned a serious security risk for iOS app users".

A similar framework called Tinker is baked into the Android version of DJI Go, according to sources familiar with the two apps. Both Tinker and JSPatch allow silent updates which could use existing permissions in new ways not previously disclosed to the user.

The support person for DJI in the US commented in another thread about JSPatch that they "have been told both Android and iOS will have this functionality removed in the next release".

We have asked Apple for comment and will update if and when we hear back.

Earlier this month the US Army ordered all of its formations to stop using DJI products, including drones and apps, citing unspecified "cyber vulnerabilities".

It is not difficult to draw a line between the remote update facilities uncovered by users cracking into DJI's software and the US Army's decision, though at the time the American military declined to reveal further details and DJI's public position was that it had no idea what upset the Pentagon.

DJI representatives did not respond to our request to explain the JSPatch/Tinker situation, having said only that they needed to talk to the company's "overseas technical team" first. DJI is a Chinese firm, though it has extensive consumer-facing operations in the West.

However, the company did announce it is launching a "local data mode" that "stops internet traffic to and from its flight control apps". This, DJI said in a statement, "will stop [apps] sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights."

Local data mode appears to be similar to enabling flight mode on a mobile phone: the firm says its use will block all updates to maps, geofencing information, new flight restrictions and other software updates.

This is a clear response to the US Army ban on all DJI equipment, presumably in the hope that stopping the drones and their associated apps phoning home to China (pictures and videos can be synced with DJI's Flickr-style drone photo-sharing website) will soothe the US military's concerns.

We have asked the US Army if it will restart use of DJI products following this announcement and will update this article if we hear back from them.

British police forces are making increasing use of drones as cheap alternatives to full-blown helicopters. The Devon and Cornwall, Dorset, and Norfolk forces have all used DJI products in trials, with D&C deciding to build its drone unit around DJI Inspire 1 quadcopters. That these aircraft rely on apps which could have been silently tweaked to allow a third party access to live surveillance data gathered by police is undesirable, to say the least. ®


DJI corp comms director Adam Lisberg got in touch with us after publication to say: "DJI will release new versions of the DJI GO apps by the end of August with the code in question removed."

Keep Reading

Tech Resources

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021