[ad_1]
Drone enthusiasts and camera owners made by DJI need to download a compatible app to control their toys in the air.
This is relatively simple: you download the mobile application for Apple's iOS or Google's Google's operating system, you install the software "DJI Go", and it is left.
However, visitors to the website may be misled where they download their apps.
An article published on GitHub describes the problem. When users access the DJI website to download the necessary app for their smartphone or tablet, a "Get It On Google Play" image appears.
CNET: Facebook would suspect spammers to be behind massive hacking
However, that does not go to the Google Play store; instead, by clicking, a .APK file will be downloaded directly from the DJI servers to a device.
There is also a "Download on the App Store" button that directs users to the official Apple App Store.
DJI offers the official app in both stores, as well as scannable QR codes – the Android version also pulls the .APK file directly from DJI and not Google Play, according to the researcher.
Interestingly, it also seems that the version of the application on the server differs slightly. According to the anonymous contributor, "configuration files are present in the DJI version that are not in the Google Play version", and there are differences between the image files and the source code.
It is important to note that there is no evidence suggesting that DJI servers are not secure or have been compromised.
However, this is not the point.
When you download an application from the App Store or Google Play, you are informed that it has been subject to a number of security and process controls to ensure that the software you are about to download and run is not malicious.
Although some applications inevitably slip on the net, in general, applications downloaded from these official sources are much safer than those downloaded from third-party servers.
The Internet is full of dummy and malicious versions of legitimate applications that are stored on third-party servers for download. If a user downloads and installs these applications, this can lead to monitoring, account hijacking, and the infection of mobile devices by Trojans such as ransomware.
TechRepublic: Top 5 Ways to Maximize Customer Data Security
In addition, legitimate servers offering applications outside these stores have been compromised by attackers and malware loaders.
Using a button proclaiming that the source of the application comes from Google Play, users are informed that the application comes from this reliable source. This is misleading and, even if it simply proves an oversight, it should not have been allowed to happen.
If a user is willing to assume the risk of downloading a mobile application outside of the App Store or Google Play, that is correct, but in any case, the source of the download should be clearly indicated to l & # 39; user.
See also: The wave of Oceansalt cyberattacks related to the deceased Chinese APT Crew Comment Crew
Google would have been informed of the problem but would have concluded that the problem was outside the scope of the company's application.
ZDNet has contacted DJI and will update if we have an answer.
Previous and related coverage
Source link
