DJI says a third-party company collected data about drone users without their permission, and it's now revoking the plugin's access in a new software update. The company clarified the situation in a blog post today, saying that a third-party plugin called JPush was used in its DJI GO and DJI GO 4 apps for Android to help serve push notifications when video files were uploaded to DJI’s SkyPixel video sharing platform. Although JPush wouldn't have needed much data to complete the job, DJI says the app actually ended up collecting personal information, including a list of apps installed on the user’s Android device.
DJI says it revoked JPush's access when it found out about the data collection. It also removed the “hot-patching” plugins jsPatch for iOS and Tinker for Android, which let the drone company update elements within their drone apps without updating the entire app. In addition to the software update today, DJI also launched an internal educational program for developers, a more rigorous code review and testing process, and a bug bounty program that will pay users up to $30,000 for identifying exploits.
at least DJI is revoking access
Clearly DJI is taking users' data concerns seriously, especially when it can be traced back to DJI's own company-issued apps and not a random download from the Play Store. As we saw with AccuWeather, all code, especially from random companies, should be vetted before inclusion.
The update today comes after DJI added a local mode to its drones for users who want to fly privately without transmitting personal data over the internet.