Analyzing Data Use by the DJI Mimo App

May 12, 2020

The Chinese drone manufacturer, Da Jiang Innovations, Inc. (DJI), recently donated hundreds of unmanned aircraft and accessories to US law enforcement organizations to help enforce stay-at-home orders during the COVID-19 pandemic. Police in 22 states accepted these drones and began using them. This move has stirred up longstanding concerns and allegations that DJI works with the Chinese Communist Party (CCP) to spy on Americans.

Claims of this kind of espionage have caused controversy for several years. While many are hard to prove, China’s position in the technology supply chain continues to present a threat to US national security.

As a team focusing on deep technical analysis of products like those made by DJI, we performed a brief analysis of the DJI Mimo mobile application. DJI’s Mimo app is an interesting product for analysis because of its many personal, commercial, and public-sector uses. The handheld DJI Osmo series of action cameras connect to a user’s mobile phone and allows them to upload content via the DJI Mimo application to DJI-owned servers hosted in China. This is relevant because since US Immigration and Customs Enforcement has released a bulletin describing how DJI drones and mobile apps could be used to send sensitive US critical infrastructure and law enforcement data to the Chinese Government. It is also of interest as another DJI mobile application, DJI Go 4, has been reported by Gizmodo to communicate the user’s IMEI to servers in China via the crash reporting toolkit called Bugly (a product of Chinese internet giant Tencent).

We reviewed the DJI Mimo app’s binaries and observed the network traffic between the internet and mobile devices using the app. We could not investigate everything, but did make several discoveries that may be of concern to US citizens and companies using DJI products (and to policy makers concerned about national security). We hope you’ll read the entire post, but it you are short on time, here is an overview of what we found:

  • DJI’s Mimo app uses libraries that request personal data about users’ religious and political affiliation, as well as security settings from connected social network APIs.
  • The DJI Mimo app sends data through insecure means to servers behind the Great Firewall of China, where it is accessible to the Chinese Government.
  • The DJI Mimo app requests from users (via the OS) access to fine and coarse location data, the ability to manipulate WiFi state, read SMS messages, and read logs.
  • The DJI Mimo app fails to meet basic security practices for users’ data, leading to potential disclosure or modification in transit.
  • DJI’s Terms of Use Agreement allows user data to be shared with the Chinese Government.
  • Even without user consent, the DJI Mimo app sends sensitive information via unsecured means to third-party servers, where the Terms of Use Agreement supports cooperation with the Chinese Government.

Analysis & Findings

Despite our limited time analyzing the DJI Mimo app, we still made several troubling discoveries, as detailed in the following sections.

Third-Party Analytics Providers

The DJI Mimo utilizes third-party analytics tools by MobTech, Google’s Crashlytics, and others. MobTech is a Chinese analytics company which openly cooperates with the Chinese Government, as stated in their public policies. The DJI Mimo app collects a very broad array of information from users’ phones, ranging from carrier and network information, to hardware, usage, and geolocation data. Much of this data is sent unencrypted to MobTech, and thus is easily visible to any entity positioned to view the user’s network traffic. For instance, the Chinese Government, which operates the Golden Shield Project (a.k.a. The Great Firewall of China), could intercept all of this data. Based on what we could see, the user is not informed and is unable to prevent this data transmission.

m = HashMap()
m['mbrand'] <- function that fetches Build.BRAND
m['mmodel'] <- function that fetches Build.MODEL
m['msize'] <- function that fetches display x * y
m['ostype'] <- function that returns 2 on Android
m['osver'] <- function that fetches VERSION.RELEASE
m['country'] <- function that fetches Locale...getCountry
m['lang'] <- function that gets language
m['channel'] <- function that returns "GooglePlay” on Android
m['appver'] <- function
m['Token'] <- the install's token
...
c = connection(getBaseInfoReportUrl, m)
c.start()

Pseudocode Based on the Logic Used to Build the "Phone Stats" Data

Additionally, DJI operates its own analytics reporting service (https://statistical-report.djiservice.org/) which collects similar data via “event reports.” This data can easily be used to plan cyber-attacks or track an individual and their activity.


Communication with Multiple Analytics and Reporting APIs


DJI also utilizes Google’s Crashlytics, though the DJI Mimo app prompts the user for permission before sending crash data to Google. However, if DJI uses its own internal analytics library and multiple third-party Chinese owned ones, why do they also use Google Crashlytics?

Integration and Data Access from Social Networks

The DJI Mimo app requests broad permissions on devices and other user accounts. The use of several Oauth providers allows automated access to users’ connected apps. This provides sign-in from one application to another, and there is broad support for services like WeChat, Weibo, Twitter, and Facebook. Access to services such as Facebook is utilized by DJI’s Mimo app to authorize the release of unnecessary user data, such as political affiliation, religion, and security settings – all data the CCP may be particularly interested in. On Android, the list of fields was found inside what appears to be the MobTech ShareSDK which, if called, includes the following:

id,name,first_name,middle_name,last_name,gender,locale,languages,link,age_range,...,timezone,updated_time,verified,birthday,cover,currency,devices,education,email,hometown,interested_in,location,political,payment_pricepoints,...,quotes,relationship_status,religion,security_settings,significant_other,...,website,work

Although it is difficult to determine from brief analysis which of these permissions are used, the iOS app makes a call (mob.shareSDK.Facebook.getUserInfo) to the MobTech ShareSDK, which leads us to expect similar behavior on Android.

Like many applications which use social network access, the DJI Mimo app also appears to use the Facebook friends endpoint, although we did not analyze what specific data is retrieved or how it is used within the DJI Mimo app.

Broad Permissions to Mobile Device Data

When installed on a device, the DJI Mimo app requests access to fine and coarse location data, read and manipulate WiFi state, read SMS messages, and read logs. These permissions, which the average user is unlikely to review in detail, give unfettered access for the app to read and alter data whenever the app chooses, without further user interaction or acknowledgement. A listing of these permissions is included below.

Base Permission Requests:

  • ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION
  • BLUETOOTH_ADMIN is potentially to connect to the Osmo Action device
  • ACCESS_WIFI_STATE, CHANGE_WIFI_STATE
  • READ_SMS is potentially legitimate to get a verification code or similar, but could allow a malicious application to gather other data from SMS as well
  • DUMP is used in facebook.stetho
  • INTERNET, ACCESS_NETWORK_STATE
  • WAKE_LOCK - firebase
  • READ_PHONE_STATE - used by com.mob.tools.utils.DeviceHelper and com.tencent.bugly.crashreport.common.info.b, which calls telephonyManager.getSubscriberId(). We consider the subscriber ID to be a potentially privacy sensitive value.
  • READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE
  • READ_LOGS is used by Bugly

Additional Permissions from Android on SDK 23+:

  • READ_CALENDAR, WRITE_CALENDAR
  • CAMERA
  • READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS
  • ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, USE_SIP, PROCESS_OUTGOING_CALLS
  • BODY_SENSORS
  • SEND_SMS, RECEIVE_SMS, READ_SMS, RECEIVE_WAP_PUSH, RECEIVE_MMS
  • READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE

Basic Communications Security

The DJI Mimo app fails to meet basic security practices with regard to data transport security. Several instances of poor security lead to potential disclosure or modification in transit of users’ data.

The DJI Mimo app communicates with Skypixel, a DJI-operated video hosting site. The traffic between this site and the app are vulnerable to man-in-the-middle attacks which can easily be performed with freely available tools, disclosing user content and personal information contained within it.

In other parts of the DJI Mimo app, communications data (com.mob.commons component) is encrypted using weak AES 128-bit keys generated by a deterministic construction, and then shared over unsecured HTTP connections. When AES is used, it operates in ECB mode which, while better than no encryption at all, is not considered strong especially given the highly structured data transmitted within it. Data shared under this method includes the phone model, WiFi and cellular status, app version, and unique app install identifier. This weak key derivation and usage means that even seemingly encrypted data sent from a user’s device could be recovered from a moderately talented attacker, let alone a Nation State.

...
d = {
    "appkey": appkey,
    "plat": str(getPlatformCode()),
    "apppkg": packageName,
    "appver": getAppVersionName(),
    "networktype": getDetailNetworkTypeForStatic(),
}
...
d2 = {
    "User-Identity": MobProductCollector.getUserIdentity()
}
result = fromJson(httpGet(url, d, d2, timeout))
...
if (status == "200"):
    authorizeForOnce = str(result['sr'])
    rawMD5 = rawMD5(("**REDACTED_STATIC_VALUE**")).getBytes()
    if (authorizeForOnce != null):
        str = AES128Decode(rawMD5, base64.decode(authorizeForOnce, 2))
...

Pseudocode based on `com.mob.commons` logic

GET http://f.gm.mob.com/v5/gcf?appkey=&plat=1&apppkg=dji.mimo&appver=1.2.0&networktype=wifi&duid=5485f31e6ca0eea4ecb62620a4de307aa605bcdd&ags=1&ts=1565990125627&as=IgrP814N7ETbY6UzXDAH02agzgh%2FWp5IDp%2FMfAhcowA%3D HTTP/1.1
====
{"status":200,"sr":"bkegYauQEwiHLeqMq9JLxg==","sc":"4Mjh8PmBMLF0/U...oGznbw==","timestamp":1565990125224}

Example Network Request and Response

Terms of Use and Other Policy Analysis

This brings us to a brief analysis of DJI’s and third-party software policies. While the hundreds of pages of policies are too much to quote here, a few excerpts give a fascinating glimpse into companies which are openly working to further the objectives of the Chinese Government. The language in this policy does little to assuage user privacy concerns and comes just short of guaranteeing that every piece of user data will be shared with the Chinese Government.

SkyPixel, the DJI-operated video hosting site, contains the following snippets in its “SkyPixel Content Guideline for Users“:

To use SkyPixel services, Users shall accept SkyPixel’s Terms of use. … all user content, comments, and published and shared work (including unpublished private videos… shall comply and align with the requirements of ‘The Seven Bottom Lines’ policy. This incorporates the core aspects of the law and regulations system, the socialist system, national interests, the legitimate rights and interest of citizens, social order, and information authenticity. … Users are not allowed to publish information that:

  1. Opposes the cardinal principles specified in the Constitution of the Peoples’ Republic of China;
  2. Harms the unity, sovereignty, and territorial integrity of the state;
  3. Leaks state secrets, endangers national security, subverts state power, attempts to disunite the country, undermines state unity, and damages national honor and interests;
  4. Incites hatred or discrimination among nationalities, harms the unity of the nationalities, infringes on national customs and habits;
  5. Promotes terrorism and extremism;
  6. Destroys the state’s religious policy, promotes cults, and superstitions;
  7. Incites regional discrimination and hatred;
  8. Tampers with and spoofs the national anthem; uses the national anthem in inappropriate business and entertainment;
  9. Distorts, defames, profanes, negates revolutionary leaders and heroic martyrs;
  10. Misuses and spoofs the names and portraits of revolutionary leaders and heroic martyrs; …

DJI must be aware of the privacy concerns and security issues regarding its own product, as well as the broader claims of Chinese companies being used to spy for the CCP. We know this because DJI commissioned Kivu Consulting, Inc. to review the DJI Go 4 application (a different mobile application than we examined) and to provide “independent verification” of DJI data transport. A summary only of this report was made available and paints DJI in a positive light.

However, Gizmodo reported obtaining a copy of the full 27-page Kivu Consulting report, and noted that the summary does not discuss all of the data that is communicated from the DJI Go 4 app to external servers. Gizmodo reported that the DJI Go 4 app does communicate with servers in China through a crash reporting app called Bugly, a product of the Chinese internet giant Tencent. Data transmitted via Bugly includes IP address and IMEI.

Although our observations are based on a different DJI application than the Kivu report, our work seems to support Gizmodo’s data-harvesting allegations. Although Bugly did not appear to transmit the IMEI, other crash reporting systems such as MobTech do send data, identifiers, and more to third-party servers.

From our observations, it appears that the information published by DJI may not provide the whole picture as, at least on the Mimo mobile application, numerous sensitive pieces of information are sent without user consent via unsecured means through a Chinese Government-monitored network infrastructure to third-party servers wherein the user agreements seem to place cooperation with the Chinese Government above the privacy of users’ data.

Avenues for Future Research

Our brief research and that of other researchers has by no means covered every possible risk, information disclosure, or vulnerability in the DJI Mimo app. We have uncovered many basic issues with the app and feel that much more analysis would be required to gain a more complete understanding. The following areas of potential future investigation are based on idustry best practices and what we have discovered:

  • Review data sent to Tencent Bugly, especially given recent reports of monitoring on WeChat (which is also owned by Tencent).
  • Conduct a security audit of the modified WebViewActivity, including inserted JavaScript interfaces knJSBridge and ibg_js_manager.
  • Perform an update, and observe the connections to the relevant URLs.
  • Audit the HTTPS connection enforcement in areas such as login.
  • Review encryption of data, including usage in com.dji.account.api, which provides HMAC keysa and an AES-CBC key.
  • Determine usage of geocoder lookup.
  • Analyze the potential “debugging backdoor” in dji.limo.main.activity.DomainTestActivity by entering a hardcoded password.
  • Perform additional real-world use of the multi-media capabilities on the application, and all situations where they can be used.
  • Review default settings for telemetry sending.
  • Review mode of debugging operation (e.g., stetho enabled and configuration).

Conclusion

The issues about the DJI Mimo app that we discovered and have discussed here seem suspicious and warrant further investigation. There are extensive opportunities for additional research, including further study of DJI drones and action cameras, additional aspects of other mobile applications, as well as the security of back-end systems.

We note that the highly obfuscated nature of DJI’s mobile application binaries is a barrier to detailed analysis and, as such, security analysis of these products is time intensive. The use of multiple crash and analytic libraries is also intriguing, as some appear to collect only necessary information, while others appear to harvest sensitive user data.

The lack of thorough and correctly implemented security – such as that which allows simple man-in-the-middle attacks – contributes to user privacy risks. The lack of security, and the location of their servers in mainland China, with no option for a CDN or additional server elsewhere makes it easy for actors to intercept application data.

We hope that this blog has shared some technical analysis about the DJI Mimo mobile application which is used with the DJI Osmo action camera, so you can draw your own conclusions or investigate for yourself if you are interested in the privacy and security of your data on these platforms.