Updated Drone manufacturer DJI is under fire because the "Get it on Google Play" button on its website for its smartphone app does anything but that.
An anonymous reader pointed El Reg on Thursday to a GitHub-hosted page outlining how users on Android devices who click the "Get it on Google Play" button on DJI's Spark software download page, and via a QR code, are not redirected to Google's official store as expected – but instead to a DJI server that gives them the Android version of the drone controller software.
El Reg has verified for itself that this does indeed happen when you hit the website's button.
This is not particularly brilliant because the app may not have gone through the Google Play store's usual round of checks for malicious code, not that these checks are perfect. It also encourages netizens that it's OK to trust any old software installer downloaded to their phone. The same concerns popped up when Fortnite snubbed the store in August.
"Clicking on the link downloads the DJI Go Android app directly from DJI's servers – not from Google Play," the GitHub page, created by an anonymous person, explained.
"The intent here isn't for people to be clicking on the 'Get It On Google Play' image in browsers, but rather tapping on the safe looking 'Get It On Google Play' via their Android devices."
Oddly, we're told DJI maintains its software on the Google Play store and the iOS App Store, so users who go through those services directly themselves will still get the software through Google or Apple, respectively. It is only the website's download page itself where the hosted version of the app is served up to Android devices. Which should set off alarm bells: what's so special, or unwanted, about this off-store download?
Yes, drone biz DJI's Go 4 app does phone home to China – sort ofREAD MORE
We've asked DJI for some explanation as to what was going on, and a spokesperson said they'd look into it for us. However, at the time of publication the company had yet to provide its side of the story.
The fear, as the anonymous report notes, is that users who think they are getting an Android app that has been vetted and screened by Google are instead getting software via a side channel.
We understand that Google has been informed of the activity, but had yet to take any action. Interestingly, the application .apk served up by DJI's page does appear to vary slightly from what is in the Play Store.
"At first glance, there are definitely differences between DJI's .apk, and Google Play's .apk," the anonymous prober concluded. "Configuration files are present in the DJI version that aren't in Google Play's version."
Thus far there's no indication the website's download is unsafe, however, the fact that DJI is choosing to steer its customers away from the Google app bazaar via a side channel is strange, to say the least.
We will update this story should we hear back from DJI. ®
Updated to add
A spokesperson for DJI has been in touch to say the button link was an accident, and it'll be corrected to point to the Google Play store.