So rather than trusting the manufacturer's website and the downloads from said site, we should trust Google? Just seems strange to trust Google more than the manufacturer.
FYI: Drone maker DJI's 'Get it on Google Play' website button definitely does not get the app from Google Play...
Drone manufacturer DJI is under fire because the "Get it on Google Play" button on its website for its smartphone app does anything but that. An anonymous reader pointed El Reg on Thursday to a GitHub-hosted page outlining how users on Android devices who click the "Get it on Google Play" button on DJI's Spark software …
COMMENTS
-
-
Friday 19th October 2018 06:56 GMT sabroni
The idea is that Google's vetting adds some security. In theory it's the same app, one copy has been vetted by Google, one potentially hasn't. So it's not trust Google instead of the manufacturer, it's as well.
However, the fact that the manufacturer wants to avoid Google's security precautions doesn't fill me with confidence, given that the apk itself is different. What's in there that Google won't allow in the store?
-
Friday 19th October 2018 07:23 GMT robidy
Users will forget to turn security back on after loading a non-play store app.
Chinese company DJI will have a list of these users.
No UK Police or other law enforcement have ever used drones, let alone any from DJI.
Of course Chinese companies and the government would never dream of doing anything with this info.
-
-
-
Friday 19th October 2018 19:40 GMT H in The Hague
Re: Think of it this way
"While DJI do make consumer drones, they're hardly toys anymore, they've made a huge dent in professional markets."
Yup. Currently working with a drone company and learning a lot about this kit. Just over a grand will get you a DJI drone with a pretty good camera. Perfectly good for many photography and video applications, and some surveying jobs.
Also gets you DJI geofencing. Stops you from accidentally flying your done into restricted airspace (potentially saving you thousands in fines, and zillions in damages if you shut down a major airport with a drone incursion). But the geofencing is not perfect. One operator I know is based at a _former_ military aerodrome and for ages the geofencing map wasn't updated and stopped them flying a DJI drone at their home base. Also means that DJI can potentially map your whole country as restricted airspace and shut down your drone operations completely. So perhaps not the best brand to choose for public services applications (go on, call me a cynic).
Here's to a good weekend - may your pints and drones have a safe flight.
-
-
Friday 19th October 2018 09:22 GMT rmason
Re: Think of it this way
@DougS
The point here isn't likelihood of being websites etc compromised, it's likelihood of the company being up to "shenanigans" for their benefit.
As the article states the app on their site *is* different to the one they already have on the playstore.
They *could* be doing it 'correctly' but choose not to. Why? Why mislead people into thinking they are getting playstore content?
As I say, the issue isn't google being hacked vs their site getting hacked, it is that they have, for some reason, made a conscious decision to fib to customers and force them to sideload. Sideloading on android requires a few security related settings being turned off for starters, then there's the fact the content of the APK is different to that on the play store.
It all stinks. This isn't about 3rd parties, hacking or anything else. It's about the trust placed in companies people buy tat from, and why this one is purposefully (apparently) misleading customers.
-
Friday 19th October 2018 10:56 GMT Jason Bloomberg
Re: Think of it this way
They *could* be doing it 'correctly' but choose not to. Why? Why mislead people into thinking they are getting playstore content?
That is the unanswered question. I don't mind side-loading when there's informed consent but cannot approve of hiding that under "Get it from Google Play" when that's not the mechanism invoked, and especially when the downloaded .apk is different from that which does come from Google Play.
It's straight forward deception as I see it.
-
Friday 19th October 2018 16:11 GMT Robert Helpmann??
Re: Think of it this way
Why mislead people into thinking they are getting playstore content?
Exactly! If my first interaction with a company or individual consists of their telling me they will do A and instead do B while trying to hide the fact, I don't need much deeper analysis than that to realize I need to take my business somewhere else. The same should also be said of subsequent interactions.
-
-
-
-
-
Tuesday 23rd October 2018 13:20 GMT the future is back!
Umm
Yes true Play reports to devs. However, the D/L stats from the sketchy DVI service is high value. 1. The users are, as cited, likely to have download security switched off even after install has completed. 2. DVI drones provide tons of intel: 3D Geolocation, video, various attachments that are available. Not that EVERY non-play install forever compromises a phone, but that list is a good place to start an attack.
-
-
Friday 19th October 2018 14:16 GMT David Gosnell
"Users will forget to turn security back on after loading a non-play store app."
As far as I know, default behaviour is to allow sideloading to be authorised as a one-off action. Quite a neat way of doing it, so you can consciously install a specific APK from an alternative source but not, in fact, leave the facility enabled for less intentional or malicious subsequent downloading.
-
-
Friday 19th October 2018 19:49 GMT Ilgaz
App is different too
The apk served from www site differ from the Google play store one. That is very alerting if you know the inner workings of Google play. Sometimes, white hat developers of advanced utilities ship a "xda version" and play store version for good purposes.
Forget everything, pushing ordinary users to enable browser apk sideloading is evil.
-
-
-
-
Friday 19th October 2018 10:50 GMT Cuddles
"To falsely say "Get it on Google Play" and then do nothing of the sort is deliberately misleading and should be highlighted."
Exactly. A lot of people seem to be rather missing the point. The problem is not that DJI are offering a download from their own servers instead of Google's. Plenty of people already do that, and while issues of security do get raised it's not really different from installing a program on your PC from somewhere other than the MS store. And note that there didn't used to be any such thing as the MS store so until very recently that was essentially the only option.
No, the problem is that DJI are apparently deliberately lying to people. They say they're sending people to Google, but are actually doing no such thing. Which is then made all the more suspicious by having the file they offer different from the one provided if you actually go to Google to find the same thing. I doubt many of us posting here have a big problem with being able to install programmes from wherever we like, but any sane person should have a problem with being lied to about what we're trying to install.
-
-
-
-
Friday 19th October 2018 23:51 GMT Flashfox
Re: That's actually a good feature
You buy a Google product, you embrace the Google environment. Nothing different than Apple and their ecosystem.
Perhaps you need to buy a Google phone (device, etc.), hack it, load a non-Google/Android OS then take your chances and load APKs at you will. If you want to play with a Google device in the Google ecosystem, then you get the whole package, the good and the less good.
-
Friday 19th October 2018 07:02 GMT Anonymous Coward
getting software via a side channel
yeah, trust google, come to daddy... Or mumy, take your pick:
Mama's gonna keep you right here
Under her wing
she won't let you fly but she might let you sing
Mama will keep baby cosy and warm
Ooooh Babe Ooooh Babe Ooooh Babe
Of course Mama's gonna help build the wall
-
Friday 19th October 2018 07:58 GMT Paul 135
Wise up El Reg and stop interfering. I would vastly prefer if all app manufacturers just gave me the.apk rather than giving Google a monopoly over application distribution and hence forcing me to install Google Play on my devices (where they get a dirty 30% cut of all apps sold - or something like that).
-
Friday 19th October 2018 09:01 GMT Andy 73
Ummm..
You do understand that the DJI app has Google dependencies in it, so even if you sideload it, you're still going to have to have Google stuff on your device? This is absolutely not helping you to avoid the Google monopoly, but is helping you avoid the vast amount of money Google has had to put into security to avoid headlines like "Toy manufacturer has website hacked, millions of users' details exposed".
-
-
-
-
Friday 19th October 2018 15:01 GMT Zolko
Re: F-Droid
It has to do with the supposed security model of Google Play Store: if it's such an important thing, F-Droid should be banned, and a walled garden be erected around Google Play Store. Which I don't want to happen, I want t decide what to install. If I want to take the risk in installing crap, I want it to be possible.
But that's no excuse to mislabel a "download app" as "get it from GooglePlay"
-
-
-
Friday 19th October 2018 09:14 GMT Mage
Walled Garden
Relying on iTunes, MS, Amazon or Playstore to curate security in exchange for their control of what you install is a poor deal.
There is nothing inherently less secure about a recognised vendor supplying direct and cutting out the privacy busting, parasitical, gadget controlling middle men.
I also remember the Archos 4.3" PMP player crippled and then orphaned because only the apps that Archos decided to supply could be bought.
I've been using desktop computers for nearly 40 years and never got a trojan or virus (Windows 1992 to 2017). User Education and better browser design (built in script control & secure sandbox) is more use than relying on a walled garden app store.
-
Friday 19th October 2018 09:59 GMT DropBear
Re: Walled Garden
Hear, hear! If you can't make your own judgements regarding what you trust and what you don't, if you're trying to defer responsibility* for what you install on your hardware, then you have no business operating it. You will NOT get more security** by using a centralized store, but you WILL get extra walls, arbitrary rules of what is "allowed" and what is not, loss of privacy by definition concerning what you have installed, having your choices screwed with by definition through the order in which your search results get ranked and sorted, being bombarded with shit about "you might want to also install / what others use" and much, much more. Woohoo, what's not to like...?!?
* That's not something you can do anyway; that responsibility is yours regardless of whether you accept it or not and whether you are capable of handling it or not - the consequences won't give a shit either way. It won't be Google who stays safe or get pwned: it will be _you_.
** So is stand-alone app "X" trustworthy _enough_ to install, yes or no? No...? Okay, you can get it from the app store too - did that suddenly make it trustworthy enough? See, of course it didn't. It's completely irrelevant how much "more" secure that allegedly makes it. If your judgement hinges on having "X" scanned by an app store, you absolutely deserve everything you gonna get.
-
Friday 19th October 2018 14:38 GMT Graham Cobb
Re: Walled Garden
While I completely agree about user education and care, it is not correct to say that there is no value in getting an app from the Play store. Google's security checking, while very limited, is not nothing. And, more importantly, getting the same version as a lot of other people makes it more likely that I will hear about any subsequent serious issue.
I also have never had a virus in over 40 years of using computers. And I use two phones with no Google accounts and no Play store access. I prefer to get apks from F-Droid if possible, or from the Play Store (using my work phone to access them, which has access using the Google account I require for work). Getting them from the vendor is my third choice (and is not often possible). I almost never get them from 3rd parties such as Yalp .
-
-
Friday 19th October 2018 14:17 GMT Anonymous Coward
Online QR code scanners
There are online sources to verify QR codes to reveal the download URL.
I downloaded the QR code .jpg image and uploaded the image to an online QR code scanner and verified that it does indeed resolve to an http DJI site: http://m.dji[DOT]net/djigo4 but my desktop browser (with Https Everywhere installed) pulled up an https version of the download site that uses a certificate from Go Daddy that was valid since 5/24/2018.
I was presented with a webpage that translated to: "Wonderful trip is about to open
Please open it with your mobile browser"
Entering the above URL while using a spoofed user agent string for a mobile browser retrieves the actual APK from: https://adhoc-usa.djicdn[DOT]com/production/android_app/REDACTED auth key
This is why QR codes should be avoided, they are just as dangerous as URL shortened links.
(There were also some malicious QR code scanner apps removed from the Play Store recently)
-
Friday 19th October 2018 14:39 GMT Anonymous Coward
Re: Online QR code scanners
Hmmm, it doesn't look like my downloaded DJI apk has ever had it's SHA 256 sum run through Virus Total before.
That is odd.
It is my "THEORY" that DJI may have been trying to tie the APK's to an individual based upon the IP address and mobile browser fingerprint.
(hence the different config files inside the app as reported and auth keys assigned when downloading)
-
-
Friday 19th October 2018 16:23 GMT Anonymous Coward
This also explains why...
I was unable to sideload the Facebook app I had extracted from an Android emulator but could sideload the Facebook apk I extracted from a device that was assigned to me.
This would also explain the mysterious Facebook related system apps that check SHA sums.
Apps being packaged on-the-fly the contain unique identifiers of the users downloading them?
(But what do I know)
-
Friday 19th October 2018 19:42 GMT Ilgaz
Say bye to auto updates too
Unless the app have auto update function built in. Google play will never update a side loaded app, if it did, there would be chaos.
Apkmirror.com shouldn't confuse you, they offer the exact same apk files signed by Google play store on purpose, their purpose is different.
-
Friday 19th October 2018 19:50 GMT Anonymous Coward
Accident?
An accident that's been in place since at least May 2017.
https://web.archive.org/web/20170701151954/https://www.dji.com/spark/info
The link also changed from "dl[.]djicdn[.]com/downloads/Spark/20170526/DJI+GO+4+Android.apk" to "adhoc[.]djiservice[.]org/show_app/AndroidApp/DJIGO4" https://web.archive.org/web/20170711201142/https://www.dji.com/spark/info
Sorry, but I'm not buying the whole accident bit.
-
Friday 19th October 2018 20:23 GMT tekHedd
So let's emphasize the lying part next time, perhaps?
As a user of a phone without any google apps whatsoever, I always appreciate when a company makes the APK directly available. (When it's a company I trust, anyway.) If Google Play is the only way to get an app, I have to violate Google's terms of service to get it. And yes I know there are handy tools that offer an easy, convenient way to violate the ToS and get the apps. :/
Offering an APK download from a "Google Play" button, yeah, that's shady. Offering an APK download, that's just how I like it.
-
Saturday 20th October 2018 12:03 GMT o p
maybe it's true
Maybe one the dev find it complicated to go through store process and explained it was faster to make the apk available for download.
The image for the link was not changed simply because they didn't have another available.
I have no difficulty to believe this mix of stupidity, incompetence and carelessness, I see it every day.