CHINA WATCHSecurity Flaws in China’s Mandatory Olympics App for Athletes
Athletes arriving at the Winter Olympics in China will have to install a Chinese-made app, called MY2022, on their smartphones, and fill in detailed information about themselves. China says that app, which the athletes will have to carry with them and periodically update, will be used to report health and travel data when they are in China. Athletes who fail to install the app, or who fail to fill in and update the information, will be sent home. Cyber analysts have found serious security and privacy flaws in the app.
Athletes arriving at the Winter Olympics in China will have to install a Chinese-made app, called MY2022, on their smartphones, and fill in detailed information about themselves. China says that app, which the athletes will have to carry with them and periodically update, will be used to report health and travel data when they are in China. Athletes who fail to install the app, or who fail to fill in and update the information, will be sent home.
A new report by the University of Toronto’s Citizens Lab says that cyber experts found serious encryption flaws in the app, raising security and privacy questions.
Citizen Lab’s analysts found that those parts of the app which will transmit coronavirus test results, travel information, and other personal data failed to verify the signature used in encrypted transfers, or did not encrypt the data at all.
The analysts also found that the app’s code includes several political terms marked for censorship, even though the app does not appear actively to use the list of terms to filter communications.
Here is the Citizens Lab’s report:
Key Findings
· MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
· MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
· MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
· While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.
