The 249 gram DJI Mavic Mini was introduced at the end of October 2019 as the successor to the DJI Spark photo drone. Due to its low weight, it is not affected by many legal regulations, such as the German drone law or the official registration in the USA. Nevertheless, DJI has not skimped on the features. In the following test report, we will find out whether security had a similar importance in the design as the gram-precise adherence to the weight class.

DJI Fly app – Home screen

The European drone law, which was originally planned for 2020, has been postponed to 2021 under reserve. This law, similar to the German drone law, regulates the use of drones according to their weight. Thanks to its low weight of 249 grams, the DJI Mavic Mini belongs to the lowest category of the regulation (C0, maximum 250 grams) and is therefore only affected by a few restrictions, and does not have to bear a sticker or be registered with an authority.

Technical data

Since 2012, DJI (Da-Jiang Innovations Science and Technology Co., Ltd) has been producing drones for the mass market, starting with the Phantom and later the Mavic series, which includes the Mini.

DJI Fly App – Ready to fly

In addition to a 3-axis gimbal and a 12 megapixel camera, it has a maximum resolution of 2.7k at 30 frames/second or FullHD at 60 frames/second. GPS, Glonass and hover sensors are integrated for indoor and outdoor positioning. When folded, it measures 140 x 82 x 57 millimetres. Remote control and drone communicate over 5.8Ghz in our model, international models also support the 2.4Ghz band in some cases. This results in different ranges. (EU version: 500m, international models partially 2000m or up to 4000m)

The 2400mAH battery allows flights up to 30 minutes and a maximum speed of about 47 km/h.

Setup

Once the remote control and drone are switched on, they can be linked to a DJI account. Without registration, both range and altitude are limited, how far, is not further specified, furthermore the reasons for this are not given. However, the reasons for this are not mentioned.
The firmware update downloaded after pairing was obtained via a TLS1.2 encrypted connection. Firmware updates must be made individually for all system components (drone, remote control, batteries). Furthermore, no-fly zone data was automatically downloaded and set up.

The connection between remote control and drone was done on our model on an automatically selected 5.8Ghz band. This is in the upper frequency spectrum of 5Ghz WiFi.

App

The DJI Fly app (Android, iOS) has been redesigned specifically for the Mavic Mini and Mavic Air 2. Reverse-engineering is made more difficult or is even effectively prevented by obfuscation and the implementation of the SecNeo framework.

The app stores very detailed information about the drone’s flight operations. This information is stored in the “public” memory (/sdcard) of the smartphone and can therefore also be read by other apps. Even if these files are encrypted, they can be converted into readable formats with little effort and freely available software. The log files contain information about the drone’s GPS coordinates, the number of satellites (GPS), data from the barometer, the acceleration and gyro sensor, etc.

FlightRecord DAT-File
Converted DAT-Flightrecord, more than 3000 entries in 180 seconds

In the event of a warranty claim, the logs can be used to check in detail whether there was a technical failure or a user fault. In addition to the logs, the app also stores the videos (720p) streamed via the remote control in the same memory area.

Online communication

During the test, the online communication of the DJI app was always TLS1.2 encrypted. Some connections, such as to DJI’s firmware update servers, are protected by certificate pinning in addition to simple certificate validation. This effectively protects them against man-in-the-middle attacks. The main communication takes place on Amazon Cloudfront. Furthermore, DJI servers and analytics services of Google are contacted.

Firmware

The DJI Fly App regularly checks for firmware updates, which are available for the remote control itself as well as for the drone and batteries. They are downloaded via TLS1.2 encrypted and certificate pinning protected connections, but most of the data is not encrypted itself. There are several open source projects on the net, which have made it their task to adapt the firmware, among other things with regard to manufacturer restrictions (e.g. reduced range in the EU area). We intentionally refrain from linking to these projects, as such changes may cause legal limits to be exceeded.

DJI Fly app – Firmware overview

The firmware can also be updated via USB, in which case the DJI Assistant must be installed on the PC/Mac. A specific firmware version can then be installed here.

DJI Assistant 2 Firmware list

Privacy

DJI’s general privacy policy (as of 11.09.2019) informs the user or interested buyer about some important topics, but leaves some questions unanswered. The data storage and processing is carried out worldwide. During the test, the main communication was found to be in the direction of the USA.

The app leaves the owner comparatively many possibilities for self-determination in the area of privacy. For example, he can decide whether recorded flights or other diagnostic information should be sent to DJI. However, there is no information on how long these data are stored.

DJI Fly App – Privacy settings

However, information about integrated trackers is missing in the privacy policy. According to static analysis Google Firebase and Crashlytics are integrated. The map service Mapbox is also not mentioned, even though it was communicated with.

The point that confuses us in the privacy area is the “optional account requirement”. Although the drone can be used without registering with DJI, there are limitations in flight altitude and range. Furthermore, a message is almost permanently visible that the drone is being used without an account. Sooner or later, the owner will create an account and usually register all flight data of the device.

Conclusion

With the Mavic Mini, DJI has launched a light and high quality drone, which does not have to hide itself in terms of security. In addition to encrypted Internet communication and a well-protected app, it also offers the user good setting options in the area of privacy. Nevertheless, DJI should reconsider the indirect account requirement.