Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Are My Drone Apps Phoning Home?

Posted by EditorDavid on from the who-watches-the-watchmen dept.

Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine. I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.

I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?
The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?

Are the drone apps phoning home?

19 of 132 comments (clear)

  1. Simple answer by Brett+Buck · · Score: 5, Informative

    Yes. Recently, the military suspended the use of certain drone manufacturers products for the same reason.

    1. Re:Simple answer by Anonymous Coward · · Score: 5, Interesting

      Christ, it was even on Slashdot and they still downvote you.

      US Army Calls Halt On Use of Chinese-Made Drones By DJI

      Posted by BeauHD on Friday August 04, 2017 @05:40PM from the new-guidance dept.

      Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports:

      SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights.

      DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."

    2. Re:Simple answer by AmiMoJo · · Score: 3

      No? The suspension was due to possibly justified paranoia.

      While it's possible that these apps are phoning home, there are legitimate reasons for doing so, e.g. updating no-fly zone maps that prevent the user from entering airport boundaries or flying over military installations. You know, the stuff that the government wants them to implement.

      Instead of asking Slashdot, this person needs to set up Wireshark to capture the packets. Might need to install a custom certificate on the phone in order to MITM the HTTPS stream too, if their security meets that basic level.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Simple answer by JohnFen · · Score: 2

      While it's possible that these apps are phoning home, there are legitimate reasons for doing so

      There is never a legitimate reason to do so without my knowledge and permission.

  2. They all phone home by Anonymous Coward · · Score: 5, Insightful

    Analytics. Telemetry. Whatever you want to call it, data is traversing the network without your explicit approval.

    1. Re: They all phone home by JohnFen · · Score: 2

      What's in telemetry data is something that has to be investigated further.

      I've reached the point where I don't actually care what's in telemetry data anymore (in part because there's no such thing as "innocuous", "non-PII", or "anonymized" data). I'll do my best to stop it all regardless.

  3. some solutions.. by gl4ss · · Score: 5, Informative

    If you have a samsung and couple of hours I have a solution for you.. if you know a little bit of java.

    Samsung phones have firewall apis that you can access with a sdk from samsung and a license code. you can also turn off the wifi with same apis in a way that another app cant open it. also with same api's (and well, if you got admin rights somehow for your app on vanilla android too) you can enable/disable particular services and activities from within the app - this depends on the architecture of the app, but it is possible possibly to just turn off the phone home service.

    there are also other things you can do that work on all phones, there's an app on the play store for changing app permissions.

    (what it does is repackage the original .apk with different permissions. so you can remove the perm for wifi control from the apk - the app will still have permission for normal http connections though).

    now, you might ask why android doesn't give you as the device owner access to all these options just outright from opening the box: because fuck you peon, that's why.

    on vanilla android(without rooting) if you want to give admin rights to an app you have to do it BEFORE finishing the first start dialog flow and there isn't that many ways to do that except nfc on some models and a flawed otg auto-apk installer on some other models.

    so the samsung extra api's are a case where manufacturer additions to the firmware are actually pretty nice if you use them for yourself instead of someone using them against you.

    --
    world was created 5 seconds before this post as it is.
    1. Re:some solutions.. by AmiMoJo · · Score: 2

      There are several firewall apps on Play and FDroid. They work by creating a local VPN connection which they can filter. As a bonus you get ad blocking too in some of them. I like DNS66.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Remove the permission by pgn674 · · Score: 4, Informative

    Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.

  5. Re:Maybe, just maybe... by silverkniveshotmail. · · Score: 5, Funny

    Apple makes sure that every app available to me is a good and wholesome app, no problems with Apple apps. Google allows bad apps, Google is bad.

  6. Not just Android... by Anonymous Coward · · Score: 3, Interesting

    I had a drone with iPhone app that called home too so its not just an android issue at all.

  7. Assuming the IP's aren't hardcoded.... by Drakonblayde · · Score: 4, Insightful

    I've found that using a Pi-hole and adding the domains they're trying to call to the blacklist to be useful.

  8. Re:Maybe, just maybe... by davester666 · · Score: 2

    Actually, no. If you are a truly big corp, such as facebook or google, they can use API's that let them upload/download whatever they want, even when they are no the active app, and even if the user has force-quit the app. Every once in awhile, they'll change the app and then it goes and downloads a bunch of crap in the background, a bunch of users get a surprise at the end of the month with overage charges, then they rush out an update to stop doing that particular thing.

    I wish Apple would add a setting to every app to permit me to enable/disable all internet access on a per-app basis.

    --
    Sleep your way to a whiter smile...date a dentist!
  9. Re:Maybe, just maybe... by Solandri · · Score: 3, Insightful

    Submitter is now learning how to disallow an app from doing this on Android. Some apps you *do* want to be able to turn on WiFi on its own (e.g. VoIP phone app if you don't want it burning your cellular data).

    If you know you're technically incompetent and want someone to handhold you through your phone "ownership", then iOS is what you want. If you have the technical knowledge to tweak the phone and want the freedom to use your phone however you want, then Android is what you want. Just like some people like to buy a Toyota and take the car to the dealer at regular service intervals, while other people buy a Chevy and modify or tweak every single component and do all the maintenance themselves. Different strokes for different folks.

  10. Oh give me a drone... by Paul+Johnson · · Score: 5, Funny

    Oh give me a drone, That phones home on its own, And uploads all that I've done, And when it has phoned, Little drone of my own, Its makers will see all my fun.

    --
    You are lost in a twisty maze of little standards, all different.
  11. Re:Maybe, just maybe... by PhunkySchtuff · · Score: 5, Informative

    You can enable/disable Mobile Data on a per-app basis in iOS - go to Settings > App Name and you can turn on/off Mobile Data for any apps that have registered as using mobile data on your device.

    re: big corps that use unpublished APIs, this used to be the case, but Apple have cracked down on it significantly. There are a number of apps that are permitted to run in the background, Facebook is not one of them, however Facebook "accidentally" registered their app as a media player and they'd play a silent mp3 in the background to get around iOS trying to freeze the app when it wasn't in use. Apple had a quiet chat to Facebook and this has apparently stopped.

    As far as I know, if you force-quit an App, it has no way to re-launch itself in the background and start using data again.

    --
    Specialist Mac support for creative pros, Melbourne
  12. Chinese spies, Russian spies, Asgardian spies by peterofoz · · Score: 2

    You would have to assume that any devices made and software updated by international companies could be potentially co-opted by those states in time of war to spy on national activities - anything with a camera, microphone, and internet connection. That includes the bazillion security cameras, drones, TVs with cameras, phones and laptops. I uninstalled a firmware upgrade to my security camera when I saw they wanted to upload all data to their cloud when I have a perfectly good one at home. Same with the wi-fi smart router. Time to get out the tin foil hats.

  13. Probably by JohnFen · · Score: 3, Insightful

    In this day and age, you have to assume that every piece of software you run on any platform will be phoning home.

    That's why I firewall all traffic, incoming and outgoing, these days, especially on my phone. It's also rather interesting examining the logs of what was blocked.

    In fact, as I was doing routine firewall maintenance over the weekend, it occurred to me that at some point I made a shift -- I now pay more attention to outgoing traffic than incoming!

    Industry trends have resulted in it becoming necessary to treat all devices and software, inside or out, as threats.

  14. Re:Maybe, just maybe... by ScienceofSpock · · Score: 4, Informative

    Android has had the ability to turn on/off any permission for any app since at least Marshmallow. Go to Settings->Apps then click on an app and then click on 'Permissions'. Don't want it using WiFi? Turn off WiFi. Don't want an app to track your location? Turn off Location. Simple and you don't need to be rooted at all as it's part of the OS