MY2022 Beijing Olympics App Has Security Holes, Collects Personal Data: REPORT
Researchers have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.
An app that those participating in next month’s Beijing Olympics must install on their phones poses serious security risks for personal information and raises censorship concerns due to more than 2,400 flagged words, an analysis by a Toronto research lab has found.
The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy released a report Tuesday detailing major concerns about the app — called MY2022 — such as the possibility of files and audio recordings being easily intercepted by third parties.
The app reportedly collects sensitive personal data — like passport details, medical data, and travel history — and analysis by security researchers reveals that the code has two security holes that could expose this information:
Due to the COVID-19 pandemic, China has decided to implement a “closed-loop” management system and daily testing. Additionally, all international and domestic attendees of the Games are mandated to download MY2022 14 days prior to their departure for China and to start monitoring and submitting their health status to the app on a daily basis […]
[We found] two security vulnerabilities in MY2022 related to the security of the transmission of user data. First, we describe a vulnerability in which MY2022 fails to validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data. Second, we describe data transmissions that MY2022 fails to protect with any encryption.
Athletes, journalists and spectators at the Beijing Winter Games next month must install the app on their phones. The app belongs to Beijing Financial Holdings Group, which is owned by the Chinese government. Among its features are tourist information and GPS tracking.
Part of its function is to monitor the health of participants related to COVID-19, including vaccination status, passport information and other personal details for international users. The report said that, according to the official Olympics Games Playbook, such information can be processed by Chinese government authorities and Beijing Organizing Committee.
Overall, the analysis asks the question of whether the weak points in the app were intentionally placed there by the developers. It said much of the data the app would be used to gather, such as health information, has already been submitted to Chinese authorities directly by users anyway, and adds such shortcomings are “endemic the Chinese app ecosystem.”
Read Citizen Labs’ entire analysis here.