back to article FYI: Drone maker DJI's 'Get it on Google Play' website button definitely does not get the app from Google Play...

Drone manufacturer DJI is under fire because the "Get it on Google Play" button on its website for its smartphone app does anything but that. An anonymous reader pointed El Reg on Thursday to a GitHub-hosted page outlining how users on Android devices who click the "Get it on Google Play" button on DJI's Spark software …

  1. Mark 85

    So rather than trusting the manufacturer's website and the downloads from said site, we should trust Google? Just seems strange to trust Google more than the manufacturer.

    1. sabroni Silver badge

      The idea is that Google's vetting adds some security. In theory it's the same app, one copy has been vetted by Google, one potentially hasn't. So it's not trust Google instead of the manufacturer, it's as well.

      However, the fact that the manufacturer wants to avoid Google's security precautions doesn't fill me with confidence, given that the apk itself is different. What's in there that Google won't allow in the store?

    2. robidy

      Users will forget to turn security back on after loading a non-play store app.

      Chinese company DJI will have a list of these users.

      No UK Police or other law enforcement have ever used drones, let alone any from DJI.

      Of course Chinese companies and the government would never dream of doing anything with this info.

      1. Anonymous Coward
        Anonymous Coward

        Think of it this way

        Which do you think is more likely to have their website hacked and have a compromised binary substituted, Google Play or a toy manufacturer?

        1. anonanonanon

          Re: Think of it this way

          While DJI do make consumer drones, they're hardly toys anymore, they've made a huge dent in professional markets.

          They also have a history of somewhat less than perfect transparency of their data harvesting to the point that the US military banned their use.

          1. H in The Hague
            Pint

            Re: Think of it this way

            "While DJI do make consumer drones, they're hardly toys anymore, they've made a huge dent in professional markets."

            Yup. Currently working with a drone company and learning a lot about this kit. Just over a grand will get you a DJI drone with a pretty good camera. Perfectly good for many photography and video applications, and some surveying jobs.

            Also gets you DJI geofencing. Stops you from accidentally flying your done into restricted airspace (potentially saving you thousands in fines, and zillions in damages if you shut down a major airport with a drone incursion). But the geofencing is not perfect. One operator I know is based at a _former_ military aerodrome and for ages the geofencing map wasn't updated and stopped them flying a DJI drone at their home base. Also means that DJI can potentially map your whole country as restricted airspace and shut down your drone operations completely. So perhaps not the best brand to choose for public services applications (go on, call me a cynic).

            Here's to a good weekend - may your pints and drones have a safe flight.

        2. rmason

          Re: Think of it this way

          @DougS

          The point here isn't likelihood of being websites etc compromised, it's likelihood of the company being up to "shenanigans" for their benefit.

          As the article states the app on their site *is* different to the one they already have on the playstore.

          They *could* be doing it 'correctly' but choose not to. Why? Why mislead people into thinking they are getting playstore content?

          As I say, the issue isn't google being hacked vs their site getting hacked, it is that they have, for some reason, made a conscious decision to fib to customers and force them to sideload. Sideloading on android requires a few security related settings being turned off for starters, then there's the fact the content of the APK is different to that on the play store.

          It all stinks. This isn't about 3rd parties, hacking or anything else. It's about the trust placed in companies people buy tat from, and why this one is purposefully (apparently) misleading customers.

          1. Jason Bloomberg Silver badge
            WTF?

            Re: Think of it this way

            They *could* be doing it 'correctly' but choose not to. Why? Why mislead people into thinking they are getting playstore content?

            That is the unanswered question. I don't mind side-loading when there's informed consent but cannot approve of hiding that under "Get it from Google Play" when that's not the mechanism invoked, and especially when the downloaded .apk is different from that which does come from Google Play.

            It's straight forward deception as I see it.

          2. Robert Helpmann??
            Childcatcher

            Re: Think of it this way

            Why mislead people into thinking they are getting playstore content?

            Exactly! If my first interaction with a company or individual consists of their telling me they will do A and instead do B while trying to hide the fact, I don't need much deeper analysis than that to realize I need to take my business somewhere else. The same should also be said of subsequent interactions.

      2. DaveLeeTravis

        Police Drone Use

        "No UK Police or other law enforcement have ever used drones, let alone any from DJI."

        Erm yeah that's not true at all. Some of them use DJI too.

        https://www.wetalkuav.com/uk-police-dji-drones/

        https://www.kent.police.uk/about-us/unmanned-aerial-vehicles/

        1. Phil Endecott

          Re: Police Drone Use

          https://www.bbc.co.uk/news/av/uk-england-lincolnshire-45770705/boston-rape-victim-found-by-police-drone

          1. robidy

            Re: Police Drone Use

            My comment was ironic :)

        2. robidy

          Re: Police Drone Use

          Ha ha! I thought my comment about the Police was outrageously ironic...does this mean 50% of El Reg readers are American or have they been infiltrated by the Chinese thought Police.

      3. eldakka

        Chinese company DJI will have a list of these users.

        The vendors get that information via the Play Store as well. Not to mention once their app is installed, it can pass that same information via their app back to the vendor anyway.

        1. the future is back!

          Umm

          Yes true Play reports to devs. However, the D/L stats from the sketchy DVI service is high value. 1. The users are, as cited, likely to have download security switched off even after install has completed. 2. DVI drones provide tons of intel: 3D Geolocation, video, various attachments that are available. Not that EVERY non-play install forever compromises a phone, but that list is a good place to start an attack.

      4. David Gosnell

        "Users will forget to turn security back on after loading a non-play store app."

        As far as I know, default behaviour is to allow sideloading to be authorised as a one-off action. Quite a neat way of doing it, so you can consciously install a specific APK from an alternative source but not, in fact, leave the facility enabled for less intentional or malicious subsequent downloading.

      5. The Mole

        Huh? Drones are used routinely by the UK and other police now. As well as seeing the results on TV I've seen the kit and spoken with the actual operators.

    3. Ilgaz

      App is different too

      The apk served from www site differ from the Google play store one. That is very alerting if you know the inner workings of Google play. Sometimes, white hat developers of advanced utilities ship a "xda version" and play store version for good purposes.

      Forget everything, pushing ordinary users to enable browser apk sideloading is evil.

  2. Anonymous Coward
    Anonymous Coward

    Don't modern versions of Android whinge at you if they detect a sideload by default? Except people who turn that off, and those people should be bright enough to notice that the Google Play UI isn't part of the process. So not reeallllyyy a story

    1. Anonymous Coward
      Anonymous Coward

      I disagree. To falsely say "Get it on Google Play" and then do nothing of the sort is deliberately misleading and should be highlighted.

      1. Cuddles

        "To falsely say "Get it on Google Play" and then do nothing of the sort is deliberately misleading and should be highlighted."

        Exactly. A lot of people seem to be rather missing the point. The problem is not that DJI are offering a download from their own servers instead of Google's. Plenty of people already do that, and while issues of security do get raised it's not really different from installing a program on your PC from somewhere other than the MS store. And note that there didn't used to be any such thing as the MS store so until very recently that was essentially the only option.

        No, the problem is that DJI are apparently deliberately lying to people. They say they're sending people to Google, but are actually doing no such thing. Which is then made all the more suspicious by having the file they offer different from the one provided if you actually go to Google to find the same thing. I doubt many of us posting here have a big problem with being able to install programmes from wherever we like, but any sane person should have a problem with being lied to about what we're trying to install.

    2. sabroni Silver badge

      re: So not reeallllyyy a story

      Unless you think words meeeeean something.

    3. Anonymous Coward
      Anonymous Coward

      IIRC it will only whine once

      And everyone has already disabled that to install Fortnite.

  3. Field Commander A9

    probably because the webpage somehow erroneously detected that you're in china?

  4. Christian Berger

    That's actually a good feature

    I hate it when app-makers try to force me into getting a Google account.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's actually a good feature

      Why do you have an Android phone if you don't want a Google account?

      1. Mage Silver badge

        Re: That's actually a good feature

        Because iPhone is overpriced and x4 what I can afford. There may be other niche alternatives not on offer in Tesco,

      2. DropBear

        Re: That's actually a good feature

        Why the hell would I want a Google account just to use a smartphone, whether it is an Android or not?!?

      3. JimmyPage Silver badge
        Stop

        Re: Why do you have an Android phone if you don't want a Google account?

        As my bro keeps nagging me ... Lineage ?

      4. JohnFen

        Re: That's actually a good feature

        Why not? Not having a Google account doesn't really make the phone less useful.

    2. Flashfox

      Re: That's actually a good feature

      You buy a Google product, you embrace the Google environment. Nothing different than Apple and their ecosystem.

      Perhaps you need to buy a Google phone (device, etc.), hack it, load a non-Google/Android OS then take your chances and load APKs at you will. If you want to play with a Google device in the Google ecosystem, then you get the whole package, the good and the less good.

  5. Anonymous Coward
    Anonymous Coward

    getting software via a side channel

    yeah, trust google, come to daddy... Or mumy, take your pick:

    Mama's gonna keep you right here

    Under her wing

    she won't let you fly but she might let you sing

    Mama will keep baby cosy and warm

    Ooooh Babe Ooooh Babe Ooooh Babe

    Of course Mama's gonna help build the wall

  6. Peter Galbavy

    Erm, this is news? Been pointing this out for years - literally - as it's the only way to officially get the .apk file for non google ecosystems. But that then broke a while back as they now have dependencies on play store infrastructure.

    1. TheGreatCabbage

      Most Android apps don't need dependencies related to the Play Store, and there are many other app stores such as the Amazon Appstore, Aptoide and F-Droid.

  7. Paul 135
    Big Brother

    Wise up El Reg and stop interfering. I would vastly prefer if all app manufacturers just gave me the.apk rather than giving Google a monopoly over application distribution and hence forcing me to install Google Play on my devices (where they get a dirty 30% cut of all apps sold - or something like that).

    1. Andy 73 Silver badge

      Ummm..

      You do understand that the DJI app has Google dependencies in it, so even if you sideload it, you're still going to have to have Google stuff on your device? This is absolutely not helping you to avoid the Google monopoly, but is helping you avoid the vast amount of money Google has had to put into security to avoid headlines like "Toy manufacturer has website hacked, millions of users' details exposed".

    2. MiguelC Silver badge

      You're missing the point... that is that DJI misleads you by telling you to get it from Google Play but instead directing you to their own site (and their site's apk is different from Google's one for extra fishy behavior)

      1. Mage Silver badge
        Devil

        Dishonesty

        The dishonesty of the website link is the only serious issue.

    3. Anonymous Coward
      Anonymous Coward

      3 down votes already.

      Obvs people who like Google to do their thinking for them

  8. Zolko Silver badge
    Linux

    F-Droid

    And what about F-Droid, that is another Android app store ? To install apps from there the user also has to enable side-channel app installs. And it's Google-free. Is that good ar bad now ?

    1. Graham Cobb Silver badge

      Re: F-Droid

      F-Droid is undeniably good. But what has that got to do with DJI misleading their customers?

      1. Zolko Silver badge

        Re: F-Droid

        It has to do with the supposed security model of Google Play Store: if it's such an important thing, F-Droid should be banned, and a walled garden be erected around Google Play Store. Which I don't want to happen, I want t decide what to install. If I want to take the risk in installing crap, I want it to be possible.

        But that's no excuse to mislabel a "download app" as "get it from GooglePlay"

        1. JohnFen

          Re: F-Droid

          "It has to do with the supposed security model of Google Play Store: if it's such an important thing..."

          It's not an important thing. Google just wants you to think it is so that you'll willingly stay locked into their surveillance network.

  9. Mage Silver badge

    Walled Garden

    Relying on iTunes, MS, Amazon or Playstore to curate security in exchange for their control of what you install is a poor deal.

    There is nothing inherently less secure about a recognised vendor supplying direct and cutting out the privacy busting, parasitical, gadget controlling middle men.

    I also remember the Archos 4.3" PMP player crippled and then orphaned because only the apps that Archos decided to supply could be bought.

    I've been using desktop computers for nearly 40 years and never got a trojan or virus (Windows 1992 to 2017). User Education and better browser design (built in script control & secure sandbox) is more use than relying on a walled garden app store.

    1. DropBear

      Re: Walled Garden

      Hear, hear! If you can't make your own judgements regarding what you trust and what you don't, if you're trying to defer responsibility* for what you install on your hardware, then you have no business operating it. You will NOT get more security** by using a centralized store, but you WILL get extra walls, arbitrary rules of what is "allowed" and what is not, loss of privacy by definition concerning what you have installed, having your choices screwed with by definition through the order in which your search results get ranked and sorted, being bombarded with shit about "you might want to also install / what others use" and much, much more. Woohoo, what's not to like...?!?

      * That's not something you can do anyway; that responsibility is yours regardless of whether you accept it or not and whether you are capable of handling it or not - the consequences won't give a shit either way. It won't be Google who stays safe or get pwned: it will be _you_.

      ** So is stand-alone app "X" trustworthy _enough_ to install, yes or no? No...? Okay, you can get it from the app store too - did that suddenly make it trustworthy enough? See, of course it didn't. It's completely irrelevant how much "more" secure that allegedly makes it. If your judgement hinges on having "X" scanned by an app store, you absolutely deserve everything you gonna get.

    2. Graham Cobb Silver badge

      Re: Walled Garden

      While I completely agree about user education and care, it is not correct to say that there is no value in getting an app from the Play store. Google's security checking, while very limited, is not nothing. And, more importantly, getting the same version as a lot of other people makes it more likely that I will hear about any subsequent serious issue.

      I also have never had a virus in over 40 years of using computers. And I use two phones with no Google accounts and no Play store access. I prefer to get apks from F-Droid if possible, or from the Play Store (using my work phone to access them, which has access using the Google account I require for work). Getting them from the vendor is my third choice (and is not often possible). I almost never get them from 3rd parties such as Yalp .

  10. J27

    If you click through they've already fixed this. It looks like it was just a mistake.

  11. Anonymous Coward
    Anonymous Coward

    Online QR code scanners

    There are online sources to verify QR codes to reveal the download URL.

    I downloaded the QR code .jpg image and uploaded the image to an online QR code scanner and verified that it does indeed resolve to an http DJI site: http://m.dji[DOT]net/djigo4 but my desktop browser (with Https Everywhere installed) pulled up an https version of the download site that uses a certificate from Go Daddy that was valid since 5/24/2018.

    I was presented with a webpage that translated to: "Wonderful trip is about to open

    Please open it with your mobile browser"

    Entering the above URL while using a spoofed user agent string for a mobile browser retrieves the actual APK from: https://adhoc-usa.djicdn[DOT]com/production/android_app/REDACTED auth key

    This is why QR codes should be avoided, they are just as dangerous as URL shortened links.

    (There were also some malicious QR code scanner apps removed from the Play Store recently)

    1. Anonymous Coward
      Anonymous Coward

      Re: Online QR code scanners

      Hmmm, it doesn't look like my downloaded DJI apk has ever had it's SHA 256 sum run through Virus Total before.

      That is odd.

      It is my "THEORY" that DJI may have been trying to tie the APK's to an individual based upon the IP address and mobile browser fingerprint.

      (hence the different config files inside the app as reported and auth keys assigned when downloading)

  12. JohnFen

    DJI

    I certainly don't trust DJI or their products, but not because they offer a way to get their app without using the Play Store -- that a good thing, not a bad one. However, misrepresenting the source of the download that the button uses is a bad thing.

  13. Anonymous Coward
    Anonymous Coward

    This also explains why...

    I was unable to sideload the Facebook app I had extracted from an Android emulator but could sideload the Facebook apk I extracted from a device that was assigned to me.

    This would also explain the mysterious Facebook related system apps that check SHA sums.

    Apps being packaged on-the-fly the contain unique identifiers of the users downloading them?

    (But what do I know)

  14. Anonymous Coward
    Anonymous Coward

    The problem

    that at least some of my fellow commentards appear to be attempting to communicate is that Google is misleading & lying to consumers (and regulatory agencies) more or less constantly. Trust liar X or liar Y?

    Me--I don't have a smart phone.

  15. Ilgaz

    Say bye to auto updates too

    Unless the app have auto update function built in. Google play will never update a side loaded app, if it did, there would be chaos.

    Apkmirror.com shouldn't confuse you, they offer the exact same apk files signed by Google play store on purpose, their purpose is different.

  16. Anonymous Coward
    Anonymous Coward

    Accident?

    An accident that's been in place since at least May 2017.

    https://web.archive.org/web/20170701151954/https://www.dji.com/spark/info

    The link also changed from "dl[.]djicdn[.]com/downloads/Spark/20170526/DJI+GO+4+Android.apk" to "adhoc[.]djiservice[.]org/show_app/AndroidApp/DJIGO4" https://web.archive.org/web/20170711201142/https://www.dji.com/spark/info

    Sorry, but I'm not buying the whole accident bit.

  17. tekHedd

    So let's emphasize the lying part next time, perhaps?

    As a user of a phone without any google apps whatsoever, I always appreciate when a company makes the APK directly available. (When it's a company I trust, anyway.) If Google Play is the only way to get an app, I have to violate Google's terms of service to get it. And yes I know there are handy tools that offer an easy, convenient way to violate the ToS and get the apps. :/

    Offering an APK download from a "Google Play" button, yeah, that's shady. Offering an APK download, that's just how I like it.

  18. o p

    maybe it's true

    Maybe one the dev find it complicated to go through store process and explained it was faster to make the apk available for download.

    The image for the link was not changed simply because they didn't have another available.

    I have no difficulty to believe this mix of stupidity, incompetence and carelessness, I see it every day.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like