News
Updated on 25 Jun 2025
James Willoughby
Addressing data security concerns with DJI drones
A guide to how DJI drones, flight apps, and software are designed to protect user data and uphold privacy. DJI has released its 2025 data security white paper.
UPDATE (June 2025): DJI releases its 2025 edition of its Drone Security White Paper - updated to reflect additional security improvements and new product developments;
DJI has a robust architecture in place to keep sensitive data safe and secure, and to uphold user privacy;
Features include Local Data Mode, which enables a user's device to be operated completely offline, as well as AES-256 video transmission encryption, and one-tap clear all device data;
DJI says no flight logs, videos, or images are synced with its servers unless users choose to do so;
DJI FlightHub 2 uploads, stores and manages data on cloud servers operated by Amazon Web Services, compliant to ISO security certifications. An On-premises Version has also been released, for an additional layer of security;
DJI's data protection protocols have been verified through independent security validations. Scroll towards the bottom of this blog to see a selection of these verifications.
Data security is a crucial consideration for drone operators, considering the unique role that UAS play as a data capture tool.
DJI drones, flight apps, and software platforms are bolstered with a comprehensive suite of features to ensure users have control over the data they generate and that sensitive information is protected.
As such, operators of drones as the DJI M400 Series, DJI Matrice 4 Series, Matrice 4D Series, M350 RTK, and Mavic 3 Enterprise Series, as well as the DJI Dock ecosystem, can utilise this robust architecture to secure their data.
On top of this, the DJI FlightHub 2 cloud-based drone management platform stores and manages data on AWS cloud servers - compliant to ISO security standards. DJI has also released the self-hosted On-premises Version - enabling organisations to store and control all drone data entirely within their own secure IT environment.
With DJI-certified FlightHub 2 On-prem delivery engineers, heliguy™ can work with you to set up this solution.
This blog takes a deep-dive into DJI's robust data security infrastructure and explains how this improves the security and integrity of sensitive data. It covers topics such as:
Device security
Application security
Data security and privacy controls
Communication security
Cloud security
Security audits and certifications
DJI reiterates that its systems are safe and secure, and that the data security of its products has been reviewed repeatedly and independently verified.
DJI White Paper 2025
DJI has published the 2025 edition of its Drone Security White Paper: An updated version outlining how DJI products are designed to protect data, uphold user privacy, and ensure operational reliability.
The latest installment - revised from its initial document first published in 2020 - consolidates recent updates across the ecosystem, including new security features, privacy controls, and results from independent audits.
This includes the ISO 27701 certification for DJI FlightHub 2, which has also just launched an On-premises Version: A robust, self-hosted drone management solution.
It includes data security features for the most recent drones across its consumer, enterprise, and agriculture ecosystem, such as the DJI Mavic 4 Pro, DJI M400, DJI Dock 3, and T100.
This blog has been updated to include information contained within the DJI White Paper 2025 (Version 3.1).
DJI data security: At a glance
This blog takes an in-depth look at DJI's data security mechanisms.
However, for an at-a-glance overview before diving into the nitty-gritty, here's some key takeaways from DJI's 2025 White Paper.
Security is embedded into every layer, covering hardware, firmware, flight apps, and cloud infrastructure.
Local Data Mode (LDM) ensures that apps sever all internet connections. Consumer and enterprise drones can use LDM.
User control comes first: No flight logs, videos, or images are synced with DJI servers unless a user chooses to do so. Privacy preferences can be managed via the flight app settings.
Enterprise operators have additional security modes and controls, including the ability to add a security code, wipe data, and update their drone offline.
FlightHub 2 is a fully-fledged ISO 27001 and 27701-certified solution. Plus, FlightHub 2 On-premises offers an additional layer of security.
4G and OcuSync links are encrypted and authenticated.
DJI's Software Development Kits (SDKs) cater to custom developers, but come with data security mechanisms.
DJI's security measures are backed by third-party audits.
DJI drones: Class-leading protection
The tables below provide an overview of data security features and mechanisms for DJI's most recent platforms across its consumer, enterprise, and agriculture range.
These are:
Consumer: DJI Mavic 4 Pro and DJI Fly.
Enterprise: DJI M400, DJI Pilot 2, and DJI FlightHub 2; and DJI M4D Series, DJI Dock 3, DJI FlightHub 2.
Agriculture: T100 or DJI Agras.
The tables show security features for the device, app, and cloud. We'll cover these security features in more detail later in this article.
Device
Security features | Consumer | Enterprise | Enterprise | Agriculture |
|---|---|---|---|---|
DJI Mavic 4 Pro DJI Fly | DJI M400 DJI Pilot 2 DJI FlightHub 2 | DJI M4D Series DJI Dock 3 DJI FlightHub 2 | T100 DJI Agras | |
Trusted execution environment | ✓ | ✓ | ✓ | ✓ |
Secure boot | ✓ | ✓ | ✓ | ✓ |
Secure update | ✓ | ✓ | ✓ | ✓ |
Device certificate | ✓ | ✓ | ✓ | ✓ |
Log export encryption | ✓ | ✓ | ✓ | ✓ |
Log one-click deletion | - | ✓ | ✓ | - |
SD card log encryption | - | - | - | ✓ |
Media data encryption | - | ✓ | ✓ | - |
Reset all | ✓ | - | - | - |
Communication security | ✓ | ✓ | ✓ | ✓ |
Quick connect and transfer | ✓ | - | - | - |
App
Security features | Consumer | Enterprise | Enterprise | Agriculture |
|---|---|---|---|---|
DJI Mavic 4 Pro DJI Fly | DJI M400 DJI Pilot 2 DJI FlightHub 2 | DJI M4D Series DJI Dock 3 DJI FlightHub 2 | T100 DJI Agras | |
Application hardening | ✓ | ✓ | - | ✓ |
Local resource encryption | ✓ | ✓ | - | ✓ |
Network Security Mode | LDM only | ✓ | - | *LDM will be supported in 2025 |
Offline firmware update | - | ✓ | - | - |
Offline Geo Zone unlocking | - | ✓ | - | - |
Offline map | - | ✓ | - | - |
Cloud
Security features | Consumer | Enterprise | Enterprise | Agriculture |
|---|---|---|---|---|
DJI Mavic 4 Pro DJI Fly | DJI M400 DJI Pilot 2 DJI FlightHub 2 | DJI M4D Series DJI Dock 3 DJI FlightHub 2 | T100 DJI Agras | |
Secure communication via TLS | ✓ | ✓ | ✓ | ✓ |
Muli-layer cloud security protection | ✓ | ✓ | ✓ | ✓ |
Storage encryption for personal data | ✓ | ✓ | ✓ | ✓ |
Cloud API | - | ✓ | ✓ | - |
Security features by DJI drone
The table above highlights security features for DJI's latest drone products.
The table below provides an at-a-glance overview of key security features found on a range of DJI aircraft, as stated in the 2025 White Paper.
Security feature | Supported models |
|---|---|
Device certificates | Mavic 3 series, Air 3S, Mini 4 series, Avata 2, Neo, Flip, Inspire 3, Matrice 4 series, Mavic 3 Enterprise series, Matrice 400, Matrice 350 RTK, Matrice 4TD/4D, Matrice 3TD/3D, Remote Drone Operations Solution, FlyCart 30, T100/T70P/T70, T60/T25P, T50/T25 |
Secure boot | Mavic 3 series, Air 3S, Mini 2 SE, Mini 3 series, Mini 4 series, Avata 2, Neo, Flip, Inspire 3, Matrice 4 series, Mavic 3 Enterprise series, Matrice 400, Matrice 350 RTK, Matrice 4TD/4D, Matrice 3TD/3D, Remote Drone Operations Solution, FlyCart 30, T100/T70P/T70, T60/T25P, T50/T25 |
Log one-click detection | Matrice 400, Matrice 350 RTK, Matrice 4TD/4D, Matrice 3TD/3D, Matrice 4 series, Mavic 3 Enterprise series, Inspire 3 |
SD card log encryption | Inspire 3, Matrice 350 RTK, T100/T70P/T70, T60/T25P, T50/T25, FlyCart 30 |
Media data encryption | Matrice 4 series, Mavic 3 Enterprise series |
Reset all function | Mavic 3 series, Air 3S, Mini 3 series, Mini 4 series, Avata 2, Neo, Flip |
4G Enhanced Transmission | Mavic 3 series, Mini 4 series, Air 3S, Flip, Inspire 3, Matrice 4 series, Mavic 3 Enterprise series, Matrice 4TD/4D, Matrice 3TD/3D, Matrice 400, Matrice 350 RTK, T100/T70P/T70, T60/T25P, FlyCart 30, Remote Drone Operations Solution |
QuickTransfer | Mini 3, Mini 4 series, Air 3S, Avata 2, Neo, Flip, Mavic 3, Mavic 3 Classic, Mavic 3 Pro |
Offline GEO Zone unlocking | Matrice 4 series, Mavic 3 Enterprise series, FlyCart 30, Matrice 4TD/4D, Matrice 3TD/3D, Matrice 400, Matrice 350 RTK |
We'll cover these security features in more detail later in this article.
The table above does not include end-of-line products, as per DJI's 2025 White Paper.
DJI drones: Device data security
DJI drones have robust device data security.
Data is generated, processed, and stored during the use of the drone.
The specific data types and detailed descriptions are as follows:
Data Type | Description | Storage Location | Usage |
Flight Log | Sensor data, GPS information, and user control data during flight. | Onboard storage or SD card | User can export flight logs by using related applications such as DJI Assistant 2. The onboard storage log will be encrypted by the export process on the drone, while the SD card stored log will be encrypted during log storage process. |
Live Flight Status | Environmental information and real-time information of the drone during flight, such as current altitude, latitude and longitude, power voltage, etc. | User's mobile device or remote controller | When a drone is in use, the drone transmits its encrypted data to the user's mobile device. The data will not be synchronised to the cloud without user authorisation. |
Device Logs | Device logs are generated during the operation of the drone to locate and solve a system bug, such as crash stacks, error, and warning message. | Onboard storage or SD card | User can export logs by using related applications such as DJI Assistant 2. The onboard storage log will be encrypted by the export process on the drone while SD card stored log will be encrypted during log storage process. |
Media Data | Photos or videos taken by the user. | Onboard storage or SD card | If media data encryption function is enabled, a secure code is required to access media data. |
Update Package | Drone system firmware. | Onboard storage | The firmware is encrypted and signed by DJI and transmitted to the drone via the app or DJI Assistant 2. |
Geo Zone Database | Specific flight areas, including: Restricted Zones, Authorisation Zones, Warning Zones, Enhanced Warning Zones, and Altitude Zones. | Onboard storage | When the user triggers a GEO Zone Database update, the database is transmitted from the app to the drone. The GEO Zone database is protected using a combination of encryption and signing. |
GEO Zone unlocking data | Data required for GEO Zone unlocking function, such as unlock licence | Onboard storage | When the user initiates GEO Zone unlocking, GEO Zone unlocking data is transmitted from the app to the drone. GEO Zone unlocking data is protected using a combination of encryption and signing. |
Drone device security: Chips and hardware
Chips and hardware security are the foundation of drone system security.
DJI says its products adopt best practice technologies, such as:
Trusted Execution Environment
Secure engine and key management
Replay Protected Memory Block-based secure storage
Secure boot
Access control
System partition protection
DJI’s security journey starts deep within the drone’s hardware architecture.
Trusted Execution Environment (TEE)
Using ARM® TrustZone®, DJI separates the drone’s operations into secure and normal environments. This ensures that sensitive information—like device keys, certificates, and user data—remains protected from tampering.
Cryptographic Key Management
DJI integrates FIPS 140-2 certified cryptographic engines for secure key generation and storage. Keys are injected into a tamper-proof OTP area and never exposed to normal system layers.
When the keys are transmitted, a unique security key is used for encryption for every single DJI product, and the corresponding decryption is performed in TEE.
DJI selects a complaint algorithm, key strength, and usage based on NIST recommendations, as shown in the table below.
Algorithm | Strength | NIST recommendation | Usage |
|---|---|---|---|
AES | 128 & 256 bits | 2030 | Encryption |
RSA | 2048 & 3072 bits | 2030 | Signature |
ECC | 256 bits | 2030 | Authentication |
ECDSA | 256 bits | 2030 | Signature |
SHA | 256 bits | 2030 | Digest |
Device Certificates
DJI products use X.509 format certificates, with each certificate bound to the drone's serial number.
These certificates are mainly used for device authentication and access control in services such as 4G enhanced transmission and device connection to the cloud.
Firmware security
DJI drones have robust firmware security features. These include:
Secure Boot: Starting from a safe place
Every DJI drone begins its operation through a multi-stage secure boot process. Each layer of firmware—from the BootROM to the operating system and flight control—is encrypted and digitally signed.
If one layer fails the integrity check, the boot process halts, protecting the drone from running compromised code.
This layered verification ensures that your drone is always operating with authentic, unaltered firmware, effectively stopping malicious injections before they take flight.
Secure Updates: Sealed and verified
DJI firmware updates aren’t just downloads - they’re cryptographically signed and encrypted packages. Before an update is installed, the drone checks the signature and decrypts the file using onboard trusted systems.
To prevent downgrading to older, potentially vulnerable firmware, DJI uses a hardware-based anti-rollback mechanism.
Offline updates are also supported, meaning updates can be transferred manually via SD card if needed.
System Hardening: Defence at every level
Behind the scenes, DJI fortifies its firmware using standard best practices:
Address space layout randomisation (ASLR)
Stack overflow protection
Removal of debug symbols
Disabling insecure ports and services (e.g., FTP, SSH, Telnet)
These hardening strategies make it significantly harder for attackers to reverse-engineer or exploit the drone’s systems.
Log & Media Protection: Secure by default
DJI logs and stores data about drone operations, but does so with user control and encryption in mind. This includes:
Encrypted Log Exports, encrypted with AES algorithms.
One-Click Log Deletion from Pilot 2.
SD Card Encryption
Media Encryption - locked with a code and encrypted using AES-256-XTS. Media access is possible only via DJI Pilot 2 app (with code entry), or DJI Decrypt Tool on PC (with SD card and secure code).
Full reset options, allowing users to wipe their devices.
We'll cover some of these features in more detail later in the blog.
DJI flight app security: DJI Fly and DJI Pilot 2
DJI Flight Apps are equipped with mechanisms to protect user data.
This section highlights the relevant data requests and available privacy controls for the user at each stage, when using DJI Fly and DJI Pilot 2.
DJI Fly App Drone Data Security
DJI Fly is for DJI consumer drones.
The app is used for drone system communication, interactive control, real-time live display, user information management, image editing, and content sharing.
The app communicates to users what data can be collected - including what is optional. DJI says no flight logs, images, or videos are shared with DJI without user consent.
When launching the app for the first time with a new drone, it will prompt the user to confirm which items of information can be collected, and preferences can be changed at any time.
Data communicated between DJI Fly app and the cloud server is protected by HTTPS protocol.
Users can enable Local Data Mode to sever communication between the app and server.
The table below highlights the information and content the app may collect.
User information | Content and usage | User authorisation time | Opt-Out (If LDM off) |
|---|---|---|---|
Approximate Location | Obscured location (5–10 km radius) of DJI/mobile device. Used to refresh latest GEO zones. Not stored on server. | When app starts for the first time (pop-up window). | No |
DJI Device Hardware Info | Includes serial numbers of flight controller, gimbal, camera, battery. Used for activation and DJI Care. | When app starts for the first time (pop-up window). | Yes |
DJI Device GNSS Info | Real-time drone location for third-party map framework (e.g., find my aircraft, flight UI map, location album). | When app starts for the first time (pop-up window). | Yes |
User Behavior Logs | De-identified usage data (e.g., frequency). Used for statistical analysis and improving user experience. | Optional. Selected during initial pop-up (DJI Product Improvement Project > Contributor). | Yes |
Flight Records | Flight data (position, attitude, battery status, route, etc.) generated by app and system. Can be synced to cloud for backups. | Users enable/disable in settings. | Yes |
Videos / Photos | Media captured by the user. | When user chooses to upload | Yes |
DJI Pilot 2 Drone Data Security
DJI Pilot 2 is used with DJI Enterprise drones.
The app carries out drone system communication, interactive control, real-time display image transmission, user information management, and intelligent tasks.
It provides users with software features for industrial drone applications.
It inherits the security features of consumer applications, but expands security and privacy functions to meet the needs of enterprise users.
Users can instruct DJI Pilot 2 on what data it can and cannot collect.
When the app loads on a new device for the first time, a pop-up window will appear to prompt the user to confirm what information can be collected. Preferences can be amended at any time.
DJI Pilot 2 provides users with enhanced controls, such as Network Security Mode, Media Data Encryption, log one-click deletion, offline firmware update, offline GEO Zone unlocking, and offline map. We'll look at these in the next section.
Third-party software alternatives can be downloaded onto an iPad or Android device and uses as a separate app, without any interactions with DJI Pilot 2. In some cases, Pilot 2 can be disabled altogether.
Keeping user data safe: Network Security Mode
DJI says it will not access any user data unless given permission to do so.
Operators can grant or revoke permissions at anytime through Network Security Mode.
Permissions that can be activated or deactivated include access to device information; flight records; device logs; and whether DJI can share device location with third-party map service providers in order to display your location on the map.
There are three modes to choose from within Network Security Mode, offering different levels of customisation and permissions. Taking DJI Pilot 2 as the example, these modes are:
1: Standard Mode
DJI Pilot will connect to the internet and work normally. The features and functions within Standard Mode can be turned on or off.
2: Restricted Network Mode
To protect operator data, many of DJI Pilot's features and functions are disabled and cannot be activated, with the exception of Map Service, Network RTK, and Third-party Cloud Services, which can be enabled or disabled.
If operators want to use a map without activating Map Service in Restricted Network Mode, they can use the MapTiler offline map to continue with a mapping service. This will prevent information being sent to third-party map service providers.
MapTiler's HQ is in Switzerland. Its maps contain no spy code, and IP addresses of MapTiler Cloud visitors are stored in memory only for a limited time needed for security checks; a maximum is 20 minutes, and then automatically destroyed. For more details, click here.
DJI has also used American-based Mapbox for this extra-secure method of accessing maps.
Other apps on a smartphone or tablet are not affected by the use of Restricted Network Mode.
3: Local Data Mode
Local Data Mode provides customers with additional assurance that data generated during drone operations is effectively protected.
It is an internet connection 'kill switch' feature within DJI’s command and control mobile applications that, when enabled, prevents the app from sending or receiving any data over the internet.
The app will close all data services and will not send any network requests to protect data. The features and functions within this mode will be disabled, with no option to enable them.
Local Data Mode enables a user's device to be operated completely offline. In this case, there is no requirement for users to log into their DJI account.
With Local Data Mode activated, drone operators can easily and effectively cut off all network connections from DJI’s mobile applications and prevent any data from being transferred to DJI or other parties.
Turning on Local Data Mode - which is similar to Airplane Mode on smartphones and other mobile devices - should help to assure drone operators that all data remains local and entirely within their control.
To use maps in Local Data Mode, first download the map in Standard Mode, and then switch to Local Data Mode.
Please note that Local Data Mode is available in the DJI Pilot, DJI GO4 and DJI Fly control apps to provide enhanced data privacy assurance when flying sensitive missions.
Network Security Mode: Features In More Detail
The table below highlights the purpose of each Network Security Mode feature and how these are impacted by switching between Standard Mode, Restricted Network Mode, and Local Data Mode.
Feature | Purpose | Standard Mode | Restricted Network Mode | Local Data Mode |
Map Service | Displays the location of your mobile device and DJI devices on the map in real-time while your aircraft is in flight. Enabling Map Service allows third-party map service providers to access the location information of your mobile device and DJI devices. | Toggle on or off | Toggle on or off | Off |
Network RTK | Provides RTK data to your DJI devices from a third-party RTK service provider. Network RTK helps you use your DJI devices with high-accuracy positioning data. Third-party RTK service providers will gain access to your devices' location information only when you are using Network RTK service. Your DJI devices' location information will be used for requesting data from nearby RTK base stations. | Toggle on or off | Toggle on or off | Off |
Third-party Cloud Services | Supports GB28181 protocol, RTMP, RTSP and DJI IoT API. Only when you choose Third-party Cloud Services will DJI Pilot sync DJI device serial numbers, GPS location information, flight speed, real-time image transmission, aircraft attitude, camera attitude, sensor data, and livestream protocol to DJI servers in accordance with livestream protocol. | Toggle on or off | Toggle on or off | Off |
Device Update | Includes checking for updates and downloading update packages for your DJI devices and DJI apps. Keeping your DJI devices and apps updated helps ensure optimal user experience. Enabling Device Update allows DJI Pilot to sync the following information for checking updates and downloading update packages: Account information, DJI devices firmware versions, and DJI apps versions. | Toggle on or off | Off | Off |
Sync Logs | A convenient tool for uploading DJI device logs. DJI Pilot will sync your account information and DJI device logs to DJI servers only when you choose to upload them. The logs contain various DJI device status information, including, but not limited to, the DJI device serial number, flight trajectory, flight speed, and sensor data. This information will only be used to help DJI Support locate issues with the device. | Toggle on or off | Off | Off |
Sync Flight Records | A convenient tool for syncing DJI device flight records. DJI Pilot will sync your account information, DJI device serial numbers, location information, flight trajectory, flight speed, and sensor data to DJI servers only when you choose to update them. | Toggle on or off | Off | Off |
FlightHub 2 Cloud Platform | Only after DJI Pilot users log in to FlightHub 2 will Pilot sync data such as account, device, GPS location, aircraft speed and attitude, and real-time image transmission data to FlightHub 2. Sharing data with team members through FlightHub 2 can increase team efficiency. | Toggle on or off | Off | Off |
DJI Product Improvement Project | DJI would like you help to improve the quality and performance of its products by collecting and sending device diagnostics and usage data. No DJI account details or personal information will be collected for this purpose. | Toggle on or off | Off | Off |
Fly Safe | Includes update checks and downloads for the Precise Fly Safe Database and unlocking licence synchronisation. It increases flight safety by providing more accurate geo-zone information and is also a convenient and efficient way to unlock licences from DJI. Enabling Fly Safe allows DJI Pilot to sync your DJI device information, the Precise Fly Safe Database version information, and GPS fuzzy location information to DJI servers for checking for and downloading updates and for updating temporary geo-zone data. DJI Pilot only syncs your account information and DJI device serial number with DJI servers to unlock licence when you use the licence syncronisation function. | Toggle on or off | Off | Off |
Network Security Mode: Enabling And Disabling Features
The below screen shots show how this plays out within DJI Pilot 2 - the most recent DJI Pilot app.
For instance, the next set of images show Network Security Mode's Map Service and Network RTK features, and how Standard Mode, Restricted Network Mode, and Local Data Mode impact their usability.
In Standard Mode, users can choose to enable or disable Map Service and Network RTK...
...which is also the same in Restricted Network Mode...
...but in Local Data Mode, Map Service and Network RTK are off by default and there is no option to activate them.
This next set of images shows how other features within Network Security Mode - in this case, Device Update - can continue to be switched on and off in Standard Mode...
...but are now deactivated, with no option to activate, in Restricted Network Mode...
...as well as in Local Data Mode.
How To Access Network Security Mode
So, how do you choose your preferred Network Security Mode settings?
Again, taking DJI Pilot 2 as the example, click on the shield at the top left of the screen on the remote controller...
...to bring up this menu within the Data and Privacy section. Click on the Standard Mode box on the right to activate a drop down to choose between this mode, Restricted Network Mode and Local Data Mode.
AES-256 video transmission encryption for enhanced security
Data transmitted between the drone and the remote controller on the ground is protected by the AES-256 encryption algorithm.
The communication between the DJI Pilot app and the server is also protected by HTTPS or WebSockets over SSL/TLS (WSS) protocol to prevent hijacking by third-parties and protect against man-in-the-middle attacks.
How AES-256 encryption works to protect your DJI drone data
AES encryption has become the industry standard for data security. AES comes in 128-bit, 192-bit, and 256-bit implementations, with AES-256 being the most secure.
The three types of AES also vary by the number of rounds of encryption. AES-128 uses 10 rounds, AES-192 uses 12 rounds, and AES-256 uses 14 rounds. The more rounds there are, the safer the encryption.
This is why AES-256 - which is utilised by DJI - is considered the safest encryption there is.
AES-256 encryption protects the OcuSync communication system (used in DJI drones), as well as DJI's 4G LTE communication which protects users against near-field and remote communication hijacking, man-in-the-middle attacks, and communication encryption.
SD-card encryption - Secure device media storage
Setting a security code helps to ensure the secure use of media files. This can be done via the Data and Privacy page on the remote controller within the flight app.
When the password function is enabled, data stored in the SD card or onboard storage can be accessed only after the user-defined password is provided.
The security code will be required when accessing content on the SD card via DJI Pilot 2.
It is interesting to note the following:
Security code is neither saved on device nor accessible by DJI. This means that the password cannot be retrieved if it is forgotten by the user.
It is not possible to reset security code. If security code is lost, format the memory card for reuse.
Memory card will be formatted if security code is disabled.
Erasable data - One-tap clear all device data
Users can choose to erase any data generated during their use of DJI devices. To erase your data, go to the DJI Pilot or DJI Pilot 2 app to clear the logs and cache on your device and the app.
Press the Clear All Device Data button via the Clear DJI Device Log tab.
This resets the remote controller operating system and will clear flight records, brief flight records, app logs, and local media data, flight route files, and other data.
The cache can be removed by pressing the DJI Pilot Cache tab.
If you decide not to use DJI’s services anymore, email support@dji.com to ask DJI to delete all the data associated with your account.
DJI drone data security for Android, iOS, and PC platforms
To safeguard these mission-critical apps, DJI has built comprehensive security defenses across Android, iOS, and PC platforms, ensuring protection from data theft, tampering, and reverse engineering.
Android App Hardening: Defense at Every Layer
DJI’s Android apps are reinforced with multi-layered code protection to shield against decompilation and runtime attacks:
Code Obfuscation & Virtual Machines: Core functionalities (like drone control logic) are converted into encrypted bytecode and run in a virtual machine, making reverse engineering extremely difficult.
Encrypted Dynamic Libraries: Code libraries (written in C/C++) are compressed and encrypted. Once decrypted at runtime, the memory is cleared to prevent leaks.
Runtime Protection: Apps actively scan for debugger tools and hacking attempts in real-time using polling and detection systems.
File System Encryption: All files—logs, flight records, preferences—are encrypted within the Android file system.
Integrity Checks: App installation packages are verified against known digital fingerprints. If tampering is detected, the app shuts down to prevent malicious actions.
iOS App Hardening: Leveraging Apple’s Secure Ecosystem
While iOS already offers a robust sandbox, DJI adds custom safeguards:
Code Obfuscation: Sensitive business logic is hidden behind redundant or misleading syntax.
Runtime Pointer Obfuscation: Keys and sensitive methods are abstracted behind global pointers, complicating reverse tracing.
White-box Cryptography: Critical credentials (like login data) are protected within the app using algorithms that remain secure even if the code is exposed.
Encrypted Drone Communication: Commands sent to the drone are protected at the protocol level to resist interception.
PC Software Security: Fortifying Ground Control Systems
DJI’s desktop software (e.g. DJI Assistant, Decrypt Tools) is protected using industry-standard hardening tools:
Binary Packing & Anti-Debugging: Executables are encrypted and embedded with tamper detection.
Digital Signatures: All apps are signed to prevent distribution of altered versions.
Key Obfuscation: Communication credentials (like drone interface tokens) are concealed and never stored in plain text.
SSL/TLS Enforcement: All client-server communications use HTTPS or WSS to avoid network-based attacks.
DJI software data security: DJI Terra and DJI Assistant 2
DJI software systems come with data security protocols.
We'll do a deep-dive on DJI FlightHub 2 (and other cloud services) later, but for now, we'll focus on DJI Terra (pictured below) and DJI Assistant 2.
DJI Terra Data Security
DJI Terra is a 3D reconstruction software. It is predominantly used for photogrammetry and LiDAR data.
Each time Terra is launched, users must log in to their DJI account. This ensures access to confined to authorised users.
Model reconstruction processes are performed locally on the user's device. This means the source data - ie photos, videos, LiDAR point clouds, and location information - stays on the device. DJI says this data is never uploaded to DJI servers.
DJI offers a dedicated offline version of DJI Terra, designed to operate in disconnected network environments.
When DJI Terra is launched for the first time, a pop-up window appears requesting data access authorisation. After this, authorisation settings can be changed at any time.
Data communication between DJI Terra and cloud servers is protected using HTTPS protocol.
The table below outlines the data that may be uploaded by DJI Terra.
User info | Content and usage | User authorisation time | Opt-out |
|---|---|---|---|
User Account Information | Includes the user's DJI account and the computer bound to the software. Used to verify account authorisation. | First-time use (pop-up window prompts for authorisation) | No |
User Experience Information | De-identified product usage data (e.g., usage frequency). Collected solely for statistical analysis to improve user experience. | First-time use (pop-up window prompts for authorisation) | Yes |
Function Failure Data | Users may choose to upload this data when encountering reconstruction issues. Helps DJI resolve technical problems and improve product performance. | Only when the user chooses to upload | Yes |
DJI Assistant 2 Drone Data Security
DJI Assistant 2 is a client software that interacts with DJI drones on Windows and Mac computer platforms.
Key functions include firmware update, log export, camera calibration, flight simulator, and DJI device parameter settings.
Communication between DJI Assistant 2 and the DJI device users the USB virtual serial port.
Communication with the server uses HTTPS protocol.
Communication data between different processes of the application is AES encrypted.
When using the software for the first time, a prompt will appear to confirm data access authorisation for the software. After this, authorisation settings can be changed at any time.
The table below highlights what information will be obtained when using DJI Assistant 2 to ensure all functions are working properly.
User information | Content and usage | User authorisation time | Opt-Out |
|---|---|---|---|
DJI account information | Used for device activation, firmware upgrades, and PSDK services. | First-time use (pop-up window prompts for authorisation) | Yes |
DJI device serial number | Refers to the SN of the DJI device linked to the app. Used for device activation and firmware upgrade. | First-time use (pop-up window prompts for authorisation) | Yes |
Payload SDK information | Includes product IDs and license info. Used for PSDK binding and unbinding services. | First-time use (pop-up window prompts for authorisation) | Yes |
Onboard SDK information | Includes the app ID. Used for Onboard SDK activation service. | First-time use (pop-up window prompts for authorisation) | Yes |
User experience information | Used for the Product Improvement Plan. Collects user preferences and diagnostic/usage data (de-identified) to improve DJI products and services. | First-time use (pop-up window prompts for authorisation) | Yes |
Communication security
As drones become central to enterprise operations, the security of data transmission between air systems, controllers, cloud infrastructure, and mobile devices is paramount. DJI has developed a layered communication security architecture to safeguard user data against hijacking, spoofing, and unauthorised access.
DJI’s End-to-End Communication Framework
DJI’s communication security covers four key components:
Air System: The drone, which connects with controllers, user devices, and cloud services.
Ground Control: Devices like remote controllers, DJI Goggles, or drone docks for live control and feedback.
Cloud Infrastructure: Backend services (e.g., DJI FlightHub 2) or user-deployed private cloud servers.
User Mobile Devices: Smartphones or tablets for mission control and media access.
These systems are interconnected using three secure link types:
Transmission Links: Between drone and controller (e.g., OcuSync, 4G).
Cloud Connection Links: Between controller/drone and cloud services.
QuickTransfer Links: Between drone and mobile device for fast media download.
OcuSync: DJI’s Proprietary Encrypted Link
DJI’s OcuSync protocol is a cornerstone of its real-time control and video transmission. It uses AES-256 encryption with a new, randomly generated session key every time the drone powers on. This ensures:
Resistance to man-in-the-middle attacks
Prevention of eavesdropping or replay attacks
Session-specific encryption, enhancing data confidentiality
4G Enhanced Transmission for Long-Range Operations
For extended-range or dock-based operations, DJI supports 4G enhanced transmission via cellular dongles or wired connections. This link initiates with OcuSync, then transitions to 4G. Key security features include:
AES-256 encryption with dynamic session keys.
Mutual authentication between air and ground systems using device certificates and private keys (stored securely via ARM TrustZone®).
Data privacy enforcement: Even DJI’s relay servers can’t decrypt transmitted content.
Users with high-security needs can even deploy their own private 4G transmission servers, maintaining full control over data flows.
Cloud Link Security with TLS and Token Authentication
When drones connect to DJI's cloud services (e.g., FlightHub 2 or SkyPixel), communication is protected using:
TLS 1.2+ encryption for all cloud-bound traffic.
Token-based authentication generated within the drone’s secure zone.
Mutual verification of device and cloud identity.
DJI also supports user-deployed private clouds - including FlightHub 2 On-Premises or third-party services via DJI’s Cloud API - offering enterprise-grade autonomy with the same level of security.
We'll cover DJI FlightHub 2 On-prem, and how heliguy™ can help, in more detail later.
QuickTransfer: Fast Media Offload with Access Control
QuickTransfer allows consumer drone users to wirelessly download media from the drone to a phone or tablet. The process involves:
Bluetooth discovery and manual user confirmation on the drone
Wi-Fi connection using auto-generated SSID and password
Device-level UUID whitelist validation to prevent unauthorized access
QuickTransfer is a media-only link—it cannot control flight operations—making it ideal for rapid content offload without compromising core control security.
Cloud data storage security
DJI's data centres are built on Amazon Web Services (AWS) and Alibaba Cloud. Alibaba Cloud is used only for customers in Mainland China. Amazon Web Services is used for all other regions.
Both are known for their security qualification and high reliability. AWS has certification for compliance with ISO 27001/27017/27018, and Alibaba Cloud has certification for compliance with ISO 27001/27017/27018, CSA STAR certification, and SOC (Service Organisational Control) independent audits.
Amazon Web Services describes itself as the most secure cloud computing environment available today and a network architected to protect information, identities, applications, and devices. For more details about AWS, visit the official website.
DJI says it ensures host security by:
Performing log security checks and scans
Conducting periodic penetration tests for DJI cloud services;
Deploying intrusion detection systems;
Installing antivirus products on all R&D terminals: Virus databases are updated every week and vulnerability scans are conducted on critical system components each week.
DJI FlightHub 2 data security
DJI FlightHub 2 is a cloud-based operations platform designed to help enterprise users manage drones, teams, media, and missions with streamlined efficiency and robust data security.
Core Capabilities and Connectivity
FlightHub 2 supports multiple DJI aircraft models and integrates with the DJI Pilot 2 app and DJI Dock systems.
DJI FlightHub 2 facilitates real-time device monitoring, remote flight planning, live camera feeds, route libraries, and media file management.
Communications between FlightHub 2 and connected devices are secured via industry-standard protocols like HTTPS, MQTTS, and WSS, with AES-256 encryption safeguarding transmitted data.
Access Control with Role-Based Permissions
To ensure granular access management, FlightHub 2 uses a Role-Based Access Control (RBAC) system.
Users are assigned roles with distinct permissions across organisational and project levels.
This enables precise control over who can access and manage devices, data, and operational functions—essential for maintaining operational integrity in enterprise environments.
The table below outlines the roles and permissions in DJI FlightHub 2.
Dimension | Role | Permission |
|---|---|---|
Organisation | Super Admin | Manages the organizational life cycle. Owns all permissions within the organisation. |
Organisation Admin | Manages members, devices, and projects within the organisation. | |
Device Maintainer | Manages all devices within the organisation. | |
Member | Views project information, adds devices, and exits the organisation. | |
Temporary Member | Has limited operation permissions within the joined project. | |
Project | Project Admin | Manages the project life cycle and owns all project permissions. Each project must have at least one. |
Member | Has limited operation permissions within the project. |
Regional Data Handling and Encryption
All user data is stored based on geographic region:
China – Local Chinese servers
Europe – AWS data centers in Frankfurt
Other regions – AWS North America
Sensitive data is encrypted both at rest and in transit; static encryption is enabled across the entire database; and storage encryption is applied to all personal information.
FlightHub 2 adheres to the principle of least privilege, ensuring DJI can only access data with user consent.
Auditability and Operational Transparency
Every action taken by DJI within the cloud environment—especially when users request technical assistance—is logged.
This audit trail offers transparency and ensures compliance with organisational data governance policies.
DJI FlightHub 2 Sync
This feature enables direct integration with third-party cloud storage systems.
Drone-captured media and telemetry data (like GNSS coordinates and payload status) can bypass DJI servers entirely and upload directly to user-specified storage.
It gives organisations complete control over their data flows and retention strategies.
DJI FlightHub 2 On-premises
For industries with strict compliance requirements (e.g., energy, transport, government), DJI offers an On-Premises Version of FlightHub 2.
This private cloud solution supports full deployment within the user’s own IT environment—ensuring all flight logs, imagery, and operational data stay within internal networks.
It mirrors the standard version’s functionality while integrating with existing security frameworks and infrastructure policies.
DJI also provides ongoing security updates and vulnerability scanning to maintain protection over time.
heliguy™ is an authorised FlightHub 2 On-premises dealer and can help organisations integrate it into their workflows.
Cloud-Based 2D/3D Modeling with DJI Terra API
The DJI Terra API lets developers access DJI’s advanced photogrammetry and LiDAR-based modeling tools via a cloud interface.
Users manually upload geospatial data - like photos, videos, or point clouds - from DJI devices, and the API processes them into 2D or 3D models.
All communications are encrypted over HTTPS, and developers can delete uploaded data through the API at any time.
Data is stored in AWS (global) or Alibaba Cloud (Mainland China), depending on the user’s location. DJI only accesses modeling data with explicit user permission.
Geofence security programme
DJI implements a multi-layered geofence security model designed to prevent unauthorised flights while offering secure, authorised access when necessary.
DJI’s geofencing system combines two components:
The GEO Zone Database – Contains geographic boundaries for restricted, authorization, warning, and altitude-specific zones.
Flight Control Functions – Use GNSS (GPS) data and the geofence database to assess flight permissions in real time.
To protect against tampering or spoofing:
The GEO Zone database is cryptographically signed, ensuring integrity.
The latest flight control systems verify signatures within a Trusted Execution Environment (TEE), adding hardware-level security.
All GNSS data is signed, preventing man-in-the-middle attacks or unauthorized module replacement.
Crucially, DJI’s geofencing operates without requiring an internet connection. Drones use the onboard database and GNSS inputs to enforce restrictions, ensuring functionality even in remote or offline areas.
As of January 2024, DJI updated its geofencing model by transitioning many Restricted Zones (No-Fly Zones) into Enhanced Warning Zones.
Where necessary, a user can apply to unlock a GEO Zone. This includes the Qualified Entities Programme (available in Europe, North America, Canada) - enabling enterprises and organisations to obtain a longer unlock duration.
DJI SDK Security
DJI produces several SDKs including Mobile SDK, Onboard SDK, Payload SDK, DJI Edge SDK, and DJI Thermal SDK.
As such, DJI enforces transparent data practices and strict control mechanisms across its SDK landscape—giving developers flexibility while ensuring user data stays protected.
Mobile SDK (MSDK)
The Mobile SDK lets developers build custom iOS and Android apps that control DJI drones.
When used, MSDK apps may initiate connections for:
SDK activation (required): Registers the app with DJI servers, sending only system-level info like OS and SDK version.
Firmware updates: Optional check for new versions.
Country code syncing: Adjusts remote frequency bands.
Usage stats (optional): Anonymous logs to improve functionality.
User Centre/RTK integration (optional): Allows interaction with DJI’s backend or third-party positioning systems.
Local Data Mode (LDM) is available: After activation, developers can disable all network traffic for full offline operation.
Onboard SDK (OSDK)
The Onboard SDK helps automate drones via direct integration with DJI flight controllers.
Requires developer registration (ID/key) and initial online activation.
Post-activation, the system runs entirely offline.
Flight logs may include developer-provided IDs but are encrypted upon export.
Open-source code is available on GitHub for transparency and extensibility.
Payload SDK (PSDK)
PSDK allows developers to create custom hardware payloads that connect via DJI’s SKYPORT adapter.
Logs include payload diagnostics (CPU usage, interface bandwidth, voltage).
Logs are not uploaded automatically—users export them manually.
Binding and unbinding with SKYPORT requires online verification via DJI Assistant 2.
User experience data, such as usage time and location (blurred to 5–10km), is optional and controlled via app settings.
Edge SDK (ESDK)
The Edge SDK powers edge computing for DJI Dock deployments. It enables local image processing, AI recognition, and defect detection on third-party edge boxes.
A public/private RSA key pair ensures encrypted communication between edge boxes and drone docks.
During initial setup, apps may collect binding metadata (e.g., product IDs and serial numbers), but users can opt out of uploading this data.
Thermal SDK (TSDK)
DJI’s Thermal SDK provides in-depth tools for analysing infrared images (R-JPEG):
Allows precise measurement control (e.g., emissivity, humidity, distance).
Supports color palette adjustments and isothermal analysis.
Fully offline-capable: No internet connection needed for operation or analysis.
Third-Party Cybersecurity Examinations Of DJI Drone Products
DJI's data security practices have been validated by federal agencies and independent private firms - continuoulsy since 2017.
Some of the findings are below:
ISO 27701 CERTIFICATION FOR DJI FLIGHTHUB 2 (2025)
DJI FlightHub 2 has obtained ISO 27701 certification by the British Standards Institution (BSI), confirming that FlightHub 2 meets privacy and data protection legal and regulatory requirements (such as GDPR).
This builds on the existing ISO 27001 certification which certifies that FlightHub 2 complies with information security management standards.
Click here for more information.
FTI CYBERSECURITY AUDIT FOR MAVIC 3T, PILOT 2 & RC PRO (2024)
Assessed the Mavic 3T, Pilot 2 and RC Pro and reaffirmed that when U.S. operators choose to share flight data with DJI, the data resides within U.S.-based servers.
Also validated that Local Data Mode (LDM) resulted in no outbound traffic.
Click here for more information.
ISO 27001 CERTIFICATION FOR DJI FLIGHTHUB 2 (2023)
DJI FlightHub 2 has obtained ISO 27001 certification, issued by the British Standards Institution (BSI), which proves that the design, development, and operational services (such as risk management, security controls, and continuous improvement) of DJI FlightHub 2 comply with the information security management standards.
Click here for more information.
FIPS 140-2 CERTIFICATION (2022)
In 2022, the DJI Core Crypto Engine obtained the NIST FIPS 140-2 CMVP Level 1 certification, which proves that DJI meets the rigorous security standards in design and implementation and provides a high level of protection for sensitive data and communication.
The engine is a firmware hybrid cryptographic module which provides foundational security services for the entire platform, including cryptography, key management, platform identity, secure boot, and secure Life Cycle State (LCS).
Formally validated by the U.S. and Canadian Governments, FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice. The standard ensures that the hardware validated meets specific security requirements.
DJI products are equipped with this secure engine, which indicates that the products have a high level of security and comply with industrial and regulatory security standards.
Click here to view the certificate details.
TÜV SÜD AUDIT (2022)
In 2022, TÜV SÜD conducted an audit of the following product portfolios of DJI: DJI consumer drones (DJI Air 2S, DJI Mini 2, and DJI Mavic 3) along with the DJI Fly app (for iOS and Android) and a DJI industrial-grade drone (DJI Matrice 300 RTK) along with the DJI Pilot app (for Android).
The audit reports issued by TÜV SÜD confirm that the preceding product portfolios meet the requirements of NIST IR 8259 and ETSI EN 303645 standards in terms of network security and privacy protection.
Click here for more information.
BOOZ ALLEN HAMILTON - UAS COE AUDIT (2020)
Cybersecurity firm Booz Allen Hamilton, on behalf of PrecisionHawk’s Unmanned Aerial Intelligence Technology Center of Excellence (UAS CoE), conducted risk assessment testing and analysis of three DJI commercial drone products: Mavic Pro GE, Matrice 600 Pro GE, and Mavic 2 Enterprise.
Click here for more information.
FTI SECURITY AUDIT (2020)
FTI Consulting (FTI) conducted an independent review and validation of Local Data Mode and DJI’s drone products through a source code review of DJI applications as well as a hardware cybersecurity review of devices.
The audit found that when Local Data Mode was enabled, no data generated by the drone or application was sent externally to infrastructure operated by any third party, including DJI, validating DJI’s assertions about the utility and function of the feature.
Click here for more information.
IDAHO NATIONAL LABORATORY (2019)
The Idaho National Laboratory conducted a cybersecurity test which involved DJI Matrice 600 Pro and Mavic Pro 2 GE edition drones.
The report found “no major areas of concern related to data leakage, thereby supporting that the multi-layered mitigations DOI has in place are in fact working as designed to meet their published security requirements”.
Click here for more information.
U.S. DEPARTMENT OF INTERIOR AUDIT (2019)
The U.S. Department of Interior (DOI) conducted thorough tests and evaluations on the DJI government-grade (GE) version of drones.
Click here for more information.
KIVU SECURITY AUDIT (2018)
Kivu is a global technology and consultancy firm. In 2018, DJI released Kivu’s independent report, which reviewed DJI’s data practices and concluded that DJI is capable of protecting users’ personal data.
Click here for more information.
DJI FLIGHTHUB SOC2 AUDIT (2017)
DJI FlightHub products passed the SOC2 certification issued by the American Institute of Certified Public Accountants.
DJI Statement On Drone Data Security Concerns
These features show how DJI take data security seriously and enable users to keep their sensitive data safe.
Summarising its approach to drone data security, DJI concludes at the end of its 2025 White Paper:
'Drones have rapidly become a valuable tool for professional use, and users who work with high-security information demand the same type of strong security precautions for drones and drone data as they do for every other technology in their toolbox.
'Our White Paper demonstrates how DJI has embraced that challenge, and how we will continue to test, validate and improve our data security protocols.
'DJI has earned its leadership role in the industry by relentlessly innovating the features that define modern drones.
'Customers choose DJI products because our systems provide stable, reliable, flexible and highly capable aerial data collection, and they have made clear they want the data security protections necessary to let them continue using DJI systems.
'We have detailed our commitment to responsible data stewardship because we recognise how important it is for our customers.
'We hope our work to set high data standards can once again become a standard for the entire drone industry, encouraging strong protections and a deep-seated commitment to treating customer data with the respect it deserves.'
DJI Security Features: Summary
DJI drones are a great data collection tool, but it is crucial that operators feel confident about the integrity and security of this information.
Recognising this, and utilising the DJI Pilot app ecosystem, DJI's most advanced enterprise platforms feature robust processes to ensure users have control over the data they generate and that it is encrypted and protected from hijackers.
And DJI's security architecture is sure to evolve in the coming months and years to provide operators with even greater protection and reassurance about their drone data.
To download DJI's white paper on data security, click here.
The heliguy™ enterprise team is available to discuss data security with your operations and security teams. Contact us for more information.
