DJI website's 'Get the app on Google Play' directs users elsewhere

Updated: At best it's an oversight, at worst it's placing user security and privacy at serious risk.

Drone enthusiasts and the owners of devices made by DJI need to download a compatible app to control their toys in the air.

This is relatively straightforward -- you download the mobile app for Apple's iOS or Google's Android operating system, install the "DJI Go" software, and away you go.

However, website visitors may be being misled in exactly where they are downloading their applications from.

A post published on GitHub outlines the problem. When users go via the DJI website to download the necessary app for their smartphone or tablet, they are met with a "Get It On Google Play" image.

CNET: Facebook reportedly believes spammers were behind massive hack

However, this does not go to the Google Play store; instead, clicking will download an .APK file directly from DJI servers to a device.

There is also a "Download on the App Store" button which does direct users to the official Apple App Store.

screen-shot-2018-10-19-at-09-35-56.png

DJI offers the official app through both stores, alongside scannable QR codes -- the Android version of which also pulls the .APK directly from DJI and not Google Play, according to the researcher.

Interestingly, it also seems that the app version on the server does differ slightly. According to the anonymous contributor, "configuration files are present in the DJI version that aren't in Google Play's version," and there are some image files and source code differences between the two.

It is important to note there is no evidence to suggest that in any way DJI servers are insecure or have been compromised.

However, this is not the point.

When you download an application from the App Store or Google Play, you are aware that the app has undergone a number of security checks and processes to make sure the software you are about to download and execute is not malicious.

While some apps do inevitably slip the net, in general, apps downloaded from these official sources are far safer than those downloaded from third-party servers.

The Internet is rife with fake and malicious versions of legitimate apps which are stored in third-party servers for download. If a user downloads and installs these apps, this can lead to surveillance, account hijacking, and mobile devices becoming infected with anything from Trojans to ransomware.

TechRepublic: Top 5 ways to maximize customer data security

In addition, there have been cases of legitimate servers which offer apps outside of these stores being compromised by attackers and loaded with malware.

By using a button proclaiming that the app's source is from Google Play, users are being told that the app comes from this particular, trusted source. It is misleading and, even should it simply prove an oversight, should not have been allowed to occur.

If a user is happy to shoulder the risk of downloading a mobile application outside of the App Store or Google Play, that's fine -- but either way, the source of the download should be made clear to the user in the first place.

See also: Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew

Google was reported informed of the issue but concluded that the problem was outside of the firm's scope.

Update 13.24BST: DJI confirmed to ZDNet that the link was an oversight. A DJI spokesperson said:

"In short, this was an accident. Each logo is intended to link to its conveyed source -- which as you note in your article, is how it is with the App Store option. We appreciate being informed of the mistake and have already fixed the link."

In relation to the difference between configuration files, the spokesperson said:

"The difference is simply due to the 100mb limit of Google Play's resource package. Our APK package is larger than 100mb so when users download the app on Google Play, they also download a resource patch that contains the remaining info needed for a successful installation."

Previous and related coverage