DJI website’s ‘Get the app on Google Play’ directs users elsewhere

Drone enthusiasts and the owners of devices made by DJI need to download a compatible app to control their toys in the air.

More security news

This is relatively straightforward — you download the mobile app for Apple’s iOS or Google’s Android operating system, install the “DJI Go” software, and away you go.

However, website visitors may be being misled in exactly where they are downloading their applications from.

A post published on GitHub outlines the problem. When users go via the DJI website to download the necessary app for their smartphone or tablet, they are met with a “Get It On Google Play” image.

CNET: Facebook reportedly believes spammers were behind massive hack

However, this does not go to the Google Play store; instead, clicking will download an .APK file directly from DJI servers to a device.

There is also a “Download on the App Store” button which does direct users to the official Apple App Store.

screen-shot-2018-10-19-at-09-35-56.png

DJI offers the official app through both stores, alongside scannable QR codes — the Android version of which also pulls the .APK directly from DJI and not Google Play, according to the researcher.

Interestingly, it also seems that the app version on the server does differ slightly. According to the anonymous contributor, “configuration files are present in the DJI version that aren’t in Google Play’s version,” and there are some image files and source code differences between the two.

It is important to note there is no evidence to suggest that in any way DJI servers are insecure or have been compromised.

However, this is not the point.

When you download an application from the App Store or Google Play, you are aware that the app has undergone a number of security checks and processes to make sure the software you are about to download and execute is not malicious.

While some apps do inevitably slip the net, in general, apps downloaded from these official sources are far safer than those downloaded from third-party servers.

The Internet is rife with fake and malicious versions of legitimate apps which are stored in third-party servers for download. If a user downloads and installs these apps, this can lead to surveillance, account hijacking, and mobile devices becoming infected with anything from Trojans to ransomware.

TechRepublic: Top 5 ways to maximize customer data security

In addition, there have been cases of legitimate servers which offer apps outside of these stores being compromised by attackers and loaded with malware.

By using a button proclaiming that the app’s source is from Google Play, users are being told that the app comes from this particular, trusted source. It is misleading and, even should it simply prove an oversight, should not have been allowed to occur.

If a user is happy to shoulder the risk of downloading a mobile application outside of the App Store or Google Play, that’s fine — but either way, the source of the download should be made clear to the user in the first place.

See also: Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew

Google was reported informed of the issue but concluded that the problem was outside of the firm’s scope.

ZDNet has reached out to DJI and will update if we hear back.

Previous and related coverage

READ MORE HERE