My 2022, the official app of the Beijing 2022 Winter Olympics, has been found to be insecure in terms of protecting users’ sensitive data
The MY2022 app, which is required to be used by all participants in the Beijing Olympics in 2022, has a fatal flaw in that the encryption that protects users’ voice and file transfers can be easily circumvented. The app, MY2022, which is required to be used by all participants, has a fatal flaw in that it can easily bypass encryption that protects users’ voice and file transfers.
Health certificates that transmit passport information, demographic information, and medical and travel history are also vulnerable. Also, the server response can be spoofed, allowing an attacker to display false information to the user.
Most importantly, the app’s encryption system has a serious flaw that allows an attacker to access documents, audio, and files in plain text.
It is also subject to censorship based on a list of keywords and has an unclear privacy policy that does not determine exactly who receives and processes all the sensitive data that users have to upload.
As you can see, it violates Google’s software policy and Apple’s App Store guidelines, yet it is available in both stores. Additionally, the app also violates China’s privacy protection laws.
The “My 2022” app that all participants are supposed to install and use
A report by Citizen Lab analyzed the “My 2022” app for potential privacy and security issues and found that the app collects sensitive information such as:
“My 2022” is an app that allows users to access their personal information.
- Device identification and model
- Mobile carrier information
- Apps installed on the device
- Wifi status
- Real-time location information
- Audio information
- Access to location information
This data collection is disclosed in our Privacy Policy and is necessary for COVID-19 protection controls, translation services, Weibo integration, and tourism recommendations and navigation.
However, the use of “My 2022” is not optional.
The players, press, and spectators all have to install the app and add their personal information to the app.
For domestic users, “My 2022” will collect your name, national identification number, phone number, email address, profile photo and employment information, which will be shared with the Beijing Organizing Committee of the 2022 Olympic Games.
For foreign nationals, “My 2022” collects complete passport information, daily health status, COVID-19 vaccination status, demographic data, and which organization you work for.
Unstable communication encryption
More problematic is that the app’s SSL-based encryption is flawed, allowing unauthorized connections due to authentication validation issues.
According to Citizen Lab’s findings, an attacker can impersonate at least five servers, intercept data sent by an app, and trick the app into thinking the malicious host is trusted.
Thus, all sensitive data may be collected by third parties that are not under the control of the Chinese government.
We also point out that in addition to the server spoofing problem, some outgoing data, including sensitive metadata, can be intercepted and read in plain text by simple network packet sniffing, since outgoing data is not always encrypted.
Disclosure and response
The serious privacy and security risks discovered by Citizen Lab were reported to the Beijing Organizing Committee of the 2022 Olympic and Paralympic Winter Games on December 3, 2021.
As of this moment (January 18, 2022), no one has responded, so the researchers have publicly disclosed the flaw.
The app developer has released version 2.0.5 of “My 2022”, but further analysis reveals that the reported issues have not yet been resolved.
As for whether China intentionally made the app flawed, we think it is highly unlikely given that the recipient of the data is a Chinese state and has no incentive to create additional backdoors for others.
Comments