This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
faq:dataleakage [2017/08/08 03:02] czokie [Unusual findings] |
faq:dataleakage [2017/08/27 03:39] czokie ↷ Links adapted because of a move operation |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== DJI Data Leakage ====== | ====== DJI Data Leakage ====== | ||
- | This page will contain examples of where information " | + | This page will contain examples of where information " |
- | ===== Kilometers flown ===== | ||
- | * A user posting on the DJI forum has the distance flown with their linked DJI profile displayed against every forum post | ||
+ | ===== Hot Patching - Back-door found in DJI GO ===== | ||
+ | One of the big no-go areas in an app development is the capability for an app to modify its code after deployment. If an app is able to modify itself, it will be able to bypass the rules that govern acceptance into an App Store. For example, Apple has recently [[https:// | ||
- | ===== Skypixel ===== | + | ==== Android Tinker ==== |
- | * A user who shares content to say a private Facebook page also has their content uploaded to skypixel. There is no way to turn this off. [[https:// | + | |
+ | Security Researchers have [[https:// | ||
+ | |||
+ | ==== IOS JSPatch ==== | ||
+ | |||
+ | Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to Tinker. According to [[https:// | ||
+ | |||
+ | As stated above, [[https:// | ||
+ | ==== The Response ==== | ||
+ | |||
+ | DJI representatives initially claimed that hot patching "//has never been used in production//" | ||
+ | |||
+ | Regardless of the denial by DJI, you don't put a back door in your code for no good reason. | ||
+ | |||
+ | DJI have subsequently advised that the issue: //" | ||
+ | |||
+ | These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin' | ||
+ | |||
+ | ===== DJI Forum - Disclosure of DJI sales history ===== | ||
+ | Imagine you are an Amazon customer... and you purchased all sorts of things over an extended period. Imagine you then posted something in an amazon support forum... and when your forum post is published, anyone reading it could see your amazon purchase history. Would that be a concern? | ||
+ | |||
+ | Not according to DJI. Any user who posts in the DJI forum will have their past sales history disclosed against their forum posts. There is an icon for each product owned, that is displayed against the user profile in each post. Disclosing sales records is to be blunt a serious concern, and not permitted under the terms of the DJI privacy policy. | ||
+ | |||
+ | ===== Dji Forum - Disclosure of Kilometers flown ===== | ||
+ | A user posting on the DJI forum has the distance flown with their linked DJI profile displayed against every forum post. The DJI privacy policy for the DJI GO app does not permit this disclosure. Flight logs being uploaded to the " | ||
+ | |||
+ | //Any information that you voluntarily choose to upload to a publicly accessible site or venue using DJI Products and Services (including sharing information on SkyPixel, DJI+ Discover App or on DJI’s online community forum, the “DJI Forum”), or that you elect to make public, will be available to anyone who has access to that content, including other users.// | ||
+ | |||
+ | This policy is the closest one that relates to this provided data. The sharing of kilometres traveled from sync'd flight logs breaches DJI's [[http:// | ||
+ | |||
+ | ===== Skypixel | ||
+ | * A user who shares content to say a private Facebook page also has their content uploaded to skypixel. There is no way to turn this off if you press the share to Facebook logo in DJI go. [[http:// | ||
===== Unusual findings ===== | ===== Unusual findings ===== | ||
- | More research is in progress on both of the items below | + | More research is in progress on of the item(s) |
- | * [[https:// | + | |
* [[https:// | * [[https:// | ||
- | FIXME: Looking for more examples of data leakage | + | ===== Network Chatter ===== |
+ | [[.:dataleakage/ |