- Capture the world from above. DJI GO 4.0 has been optimized for all of DJI's latest products. These include the Phantom 4,Mavic Pro, Phantom 4 Pro, and Inspire 2. It provides near real-time image transmission and camera settings adjustment, as well as editing and sharing of aerial imagery. Features: All-new Homepage and UI Near Real-time HD Image Transmission Camera Settings Adjustment.
- Download the apk file of the application you need (for example: DJI GO 4-For drones since P4) and save to your phone 3. Open the downloaded apk file and install Capture the world from above. DJI GO 4.0 has been optimized for all of DJI's latest products. These include the Phantom 4,Mavic Pro, Phantom 4 Pro, and Inspire 2.
Dji go 4 free download - iDealshare VideoGo, ZyGoVideo for QuickTime (OS X), iTubeGo, and many more programs. DJI GO application is available on both Smartphone and iOS. But the DJI brand is hard at work to create a new SDK of drone for Windows 10 which will allow the control and transfer of data with Windows 10. DJI GO 4 app runs on a mobile, and it is a nice choice to edit drone videos on-the-go. That said, there are some pitfalls that could make your mobile editing a nightmare:. DJI videos are saved in cached versions in the DJI GO app. Thus, if you wish to edit and save it at high definition, i.e., better image quality, you will have to download.
This is an application that you will be more than useful to improve stability or to remotely control devices DJI. It allows to perform a large number of settings with the devices of the brand and offers almost professional renderings. DJI GO application is available on both Smartphone and iOS. But the DJI brand is hard at work to create a new SDK of drone for Windows 10 which will allow the control and transfer of data with Windows 10.
What to do with the DJI GO app?
DJI GO application allows to optimize the operation of devices of brand DJI, a manufacturer of drones, cameras and stabilizers. DJI GO is an essential application for pilots to drones, as confirmed beginner. Very intuitive, it allows access to advanced settings and unique assisted flight patterns in the use of the facilities of brand DJI. Helping you become familiar with these, it offers several features of which the most prominent is the video back to your live camera. Indeed, it allows the transmission and adjusting images in near-real time, as well as editing and sharing the images. Among other functions, there are:
- The transmission of HD images almost in real time.
- The setting of the camera settings and the update of the playback interface;
- The diversification of models and tracks of music in Notepad;
- Download, editing and sharing videos;
- Broadcasting live integrated;
- Registration of flight in near real-time data;
- Activation of different modes for filming.
After image processing, the application allows you to directly post them on social networks.
Written by - 23/07/2020 - in Systems , Reverse-engineering - Download
Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national security, and more. One of the market leaders, China-based Daijiang Innovations (DJI), is often in the news for suspected cybersecurity and data privacy issues.
While there are technical reports sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information back to the Chinese manufacturer, we wanted to assess the technical capabilities of the application ourselves.
While there are technical reports sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information back to the Chinese manufacturer, we wanted to assess the technical capabilities of the application ourselves.
Drones are currently one of the most dynamic products, with multiple use cases across sectors such as personal and commercial videography, farming and land surveying, law enforcement and national security, and more. One of the market leaders, China-based Daijiang Innovations (DJI), is often in the news for suspected cybersecurity and data privacy issues 123.
While there are technical reports 4 sponsored by DJI stating that their associated mobile application, DJI GO 4, is harmless and does not send any personal information back to the Chinese manufacturer, we wanted to assess the technical capabilities of the application ourselves.
We found that :
- Despite being under scrutiny, DJI did not improve the transparency surrounding the potential abuse of its Android mobile application: DJI GO 4 application makes use of the similar anti-analysis techniques as malware, such as anti-debug, obfuscation, packing and dynamic encryption.
- After de-obfuscation, our research located two features of the software that call home and wait for a file that orders the user’s phone to install a forced update or install a new software. This mechanism is very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI GO 4 5 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery 6 or in-app updates 7. Google is not able then to do any verification on update and modifications pushed by DJI. According to Google Play, the application has been installed on more than a million personal devices, suggesting any security risks are widespread.
- The MobTech component embedded in recent versions of DJI Android GO 4 application collects personal data such as IMSI, IMEI, the serial number of the SIM card, etc. This data is not relevant or necessary for drone flights and go beyond DJI privacy policy 8. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.
- The DJI GO 4 application on the Android platform does not close when the user closes the app with a swipe right. The app continues to run in the background and makes network requests.
- Whereas our findings affect the Android version of DJI GO 4, the iOS version of the application is not obfuscated and doesn’t have the hidden update mechanisms.
Thus, users of the DJI drone are advised to use caution, due to the risks of leakage or misuse of sensitive data elements, and hidden command and control features, seemingly not needed for safe or secure use of the product.
The DJI GO 4 application for Android
Dji Go 4 App Download For Mac
The recommended way to pilot DJI drones is to connect a phone to the remote controller and use the DJI GO 4 application. It is not possible to pilot these aircrafts by default without the application running on a mobile device. We did our testing with a Mavic 2 but DJI GO 4 is used for most DJI drones.
We analyzed several samples of the application on the Android plateform, namely:
- version v4.3.36_200426 updated May 12, 2020 (SHA256
3887b663709c5f4b586289d25449a740f268a3b2c66f78a53ab33a124c9e9208
) - version V4.3.25-2036168 released October 9, 2019 (SHA256
1e6f1a0151c2655069e45c1d858b5541a017b474c520c73b615cba6fa57a394f
) - version V4.1.22-3028592-nosecneo released in December 2017 (SHA256
8e29e190e9b0879960dac27d73a63100959ef52aada1baa51cf45eccfc5beeb2
).
Unpacking
While it is possible to retrieve unencrypted older versions of this application, we had to unpack the last version before proceeding with the analysis.
A variation of the
SecNeo/BangCle
protection scheme 9 is used, which decrypts several Dex
files and loads them in memory.The unpacking routine is implemented in a native library, named
libDexHelper.so
. This library is obfuscated using code flattening and almost all the strings are decrypted on the stack before use.For example, in the following snippet, the library is looking for a specific Huawei phone model.
While it would be fun to completely statically analyze this library, we want to have access to the rest of the application quickly.
Breaking the SecNeo/BangCle packer has been described publicly 10, however the provided tools did not work on our setup. In order to dump the decrypted dex files, we used Frida 11 to hook into the application and to dump the memory mapped files to disk. The usual SecNeo/BangCle decrypts one dex file, but we noticed that this app decrypts no less than seven dex files.
Static Analysis
With the application fully decrypted, we decompiled it with
jadx
12 in order to analyze it.However, the developers left us some more challenges to slow down the security analysis.
Decrypting the strings
Almost all the strings in the application are ciphered using a
XOR
based scheme. The key used for the decryption is the same in both samples and a decryption script was reimplemented. This script was then executed on each decompiled java file, which resulted in almost all the strings being decrypted.Side quest: Breaking the AES whitebox
The application uses an AES Whitebox in order to decrypt what it considers as sensitive elements:
- The hashes of the trusted certificates in the certificate pinning utility
- The RSA public key which is used to verify the signature of the No-Fly-Zone file
- The hashes of several FlySafe related databases
The whitebox functions are based on
JNI
wrapped linking to the libwaes.so
library.At first, we ripped the AES whitebox in order to statically decrypt the data, but we also succeeded in breaking it using Differential Fault Analysis with the Deadpool tools 13.
Breaking this whitebox can be done in a few steps:
- Ripping off the whitebox data from the binary (at address
0x5004
) - Reimplementing the block encoding and encryption function (
0xFF0
and0x12EC
) in a python script - Giving the python script and the whitebox data as arguments to DeadPool
![For For](/uploads/1/2/5/8/125863535/455459852.png)
The reimplementation is left as an exercise to the reader. As seen in the example, the key used to hide some of the features is weak. However, the suspicious features we found were not protected with the AES whitebox.
Encryption of log files
DJI application implements its custom log Utility, named DJILogUtils, located in
dji.log
. Logs are encrypted with AES 256 CBC with a PBKDF2 derived password. This could appears as a strong mechanism, but password is defined in the dji.log.impl.SimpleEncryption
:The key is then derived through PBKDF2. The AES key is
e9e856d55943731ac585dcda656f95c5
. The IV is hardcoded: 9d6c5cab5b0281255a222d1c861ddfdf
. All logs are splitted and stored in /storage/emulated/0/DJI/dji.go.v4/LOG/CACHE/
such as log-2020-02-18.log
or BatteryEmbed/log-2020-02-02.log
.Shady features
Auto update mechanism
While Google Store is usually used to update an application, DJI also implements its own update mechanism in the
DJISelfUpgradeManager
class.The application checks the URL
hxxps://service-adhoc.dji.com/app/upgrade/public/check
for a configuration file and can even force the update of the application if the flag forceUpdate
is set in the JSON answer.The application will then download the provided APK application on the arbitrary provided URL, and prompt the user to install it.
We managed, using a Frida11 script 14 to bypass the SSL pinning and intercept the request. We subsequently modified the request using Burp15 to trigger the update mechanism.
As shown below, the request to the service does not include personal identifiers, however the IP address of the client can be used to correlate to a specific user using the other telemetry services of the application.
An example of answer we got from DJI's server is shown below:
Using Burp's Match and Replace feature, we modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed.
As seen in the screenshot below, DJI has a full control over the message displayed to the user during the second prompt, thus this message can convince the user to install the application.
The last prompt is asking for a confirmation before installation, displaying the application name (here Security Updates ) and a default message.
Given the wide permissions required by DJI GO 5 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or affiliated third-party servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery 6 or in-app updates 7. Google is not able then to do any verification on update and modifications pushed by DJI.
Therefore, any security assessment made on this application, such as Kivu 4, is strongly limited because potential malicious code can be pushed by DJI afterwards through this auto-update mechanism.
The user cannot have control on the version and features of the application he runs.
Weibo SDK APK Downloader
The sharing functionality of the application uses a SDK developed by the Chinese company Weibo.
This SDK is named
com.sina.weibo.sdk
. When initiated, this SDK starts by checking an application specific token by using the WbAppActivator
class, then two message handlers are registered by this class: AppInvokeCmdExecutor
and AppInstallCmdExecutor
.The
WbAppActivator
then creates a new thread, querying each hour (by default) new commands on the URL hxxp://api.weibo.cn/2/client/common_config
.The result of the request is then decrypted using the AES algorithm in ECB Mode, and a key derived from a strong Game of Thrones secret (eg the MD5 of
Stark
).The decrypted message is now handled by one of the two command handlers, the most interesting one being
AppInstallCmdExecutor
.This handler download the URL passed in the command text and then prompts the user to install the arbitrary APK downloaded, acting as a dropper.
This functionality is activated only when the user attempts to stream using Weibo.
DJI Internal requests
The application communicates through a lot of .dji.com websites.
At each startup, the app registers itself through the URL
hxxps://mydjiflight.dji.com/api/v2/register_device
with information related to the app.It then polls this website to get access to geocode information related to localization.
The DJI account used to access the application is used to autolog into the
hxxps://www.skypixel.com
social network.By hooking some classes with Frida, we can see that the access are not made anonymously. For example, flight logs use an id and token to identify the owner of the drone:
hxxps://mydjiflight.dji.com/api/v2/flight_log/profile?user_id=<numerical id>
hxxps://mydjiflight.dji.com/flight/overview?token=<token>
Other calls are made to other DJI related websites, namely:
flysafe-api.dji.com
terra-2-g.djicdn.com
account-api.dji.com
djigo-hk.djiservice.org
djigoapi.djiservice.org
developer.dji.com
store.dji.com
statistical-report.djiservice.org
Telemetry
BugLY telemetry
bugly
is a crash reporting module provided by the Chinese company Tencent
.It was used in previous versions of the application (including the
v4.1.22
we analyzed).This SDK registers a crash monitor for the application and store them in a SQLite database before having a network connection and sending them to a configurable URL (for example:
hxxp://android.bugly.qq.com/rqd/async
).The crash reports include, amongst others, the following elements:
- The IMSI and IMEI serial numbers of the phone
- The MAC address of the Wi-Fi interface
- The
android_id
of the phone - The serial number of the SIM card
- The status of the mounted filesystems
The information collected at the time by this feature seems to go beyond DJI privacy policy 8 especially concerning identification numbers used only by cellular network operators (IMSI, IMEI, serial number of the SIM card).
This framework was removed from the application between the versions 4.1.22 and 4.3.25. Several concerns about this telemetry were published by security researchers and journalists 16.
Mapbox telemetry
DJI is using a map service published by the provider MapBox. This service is sending telemetry pingbacks to its publisher, as publicly documented 17.
However, we found that this telemetry is quite verbose, as an event is sent each time the map is clicked or dragged.
Gaode/AMAP telemetry
AMAP, also named Gaode, is a Chinese cartography service provider and a subsidiary of Alibaba. Its cartography framework is used in the application and contains several interesting items:
- It decrypts its server names using simple xor based algorithms
- If the collection is enabled in the SDK configuration, it sends both the mobile phone IMSI identifier and its current location, which enables the provider to track a specific phone given its IMSI.
- Most of the communications between the application and the servers are performed over HTTP.
However, it seems that this SDK only is only activated when the user is geolocated in China.
MOB SDK framework.
The application embeds a SDK framework developed by mob.com 18 designed to get almost any metadata available from the smartphone.
MobTech is advertised as a data intelligence plateform designed to help developers to gather data from applications.
Dji Go 4 Software Download
At least, this framework works as intended: it collects data. A lot of data. As anyone can see in the
com/mob/tools/utils/DeviceHelper.java
classes, almost any data which can be used to track a user is queried. It goes from screen size and brightness to WLAN address and MAC, BSSIDs, Bluetooth addresses, Mac addresses from neighbors, IMEI and IMSI, carrier name, SIM serial Number, SD card information, OS language and kernel version, Location and language and so on.The full list of data collected cannot fit in this blogpost but the amount and depth of data collected is significant and can be used to track a single person or device. Just like the previous Bugly feature, the information collected by mob.com and DJI seem to go beyond DJI privacy policy 8 especially concerning identification numbers used only by cellular network operators (IMSI, IMEI, serial number of the SIM card). As a side note, MobTech privacy policy 19mentions way more data being collected compared to DJI privacy policy.
An example of requests sent to mob.com website containing a lot of private information is contained in the snippet below:
A third party company 20 disclosed how much data DJI Mimo application and Mob.com SDK sends abroad. After this publication, the Mob SDK was also removed from the latest version available of DJI GO 4.
Unstoppable application
If you close the application in Android by swipe right, it doesn’t close. The app continues to run in the background and makes network requests. A service, called Telemetry provided by MapBox will restart the application in the background.
If you want to effectively close the application, you must terminate the service and close the application in the Android Settings. The user might have a false sense of security when he or she thinks the app is closed, whereas the app is still able to collect data or modify its features.
Network connectivity
Some users of DJI GO 4 may argue that they switch their phone to flight mode when they flight drones for sensitive missions. It’s important to consider that among permissions required by DJI GO 4 5, the application has permission to change network connectivity.
Further leads
Several parts of the applications were not covered by this research, such as many of the native libraries which have not been analysed. It therefore remains untested if DJI Go 4 contains even more shady features.
Conclusion
Security concerns on the DJI GO 4 application are likely founded, especially given the lack of transparency around the application capabilities.
Dji Go 4 Download Pc
The analysis of DJI GO 4 shows similar result to other Chinese applications such as
Study the Great Nation
21 : obfuscation for hiding functionalities, information gathering including information on the phone, cellular network ID and GPS location of the user or the drone and execution of code without the control of the user (forced updates). Thus, the application should not be used for sensitive purpose.IOCs
Dji Go App Download
hxxp://api.weibo.cn/2/client/common_config
hxxps://service-adhoc.dji.com/app/upgrade/public/check
hxxp://android.bugly.qq.com/rqd/async
hxxp://wb.testing.amap.com
hxxp://group.myamap.com
hxxp://m.map.so.com
hxxp://114.247.50.32
180.96.64.225/mo