An app mandated for use by all attendees of the 2022 Winter Olympic Games in Beijing between 4 and 20 February 2022 has been found to have a significant flaw which leaves much of the sensitive data input into the app vulnerable.
Cyber security group the Citizen Lab said in an article published on 18 January 2022 that the flaw means in the MY2022 app “encryption protecting users’ voice audio and file transfers can be trivially sidestepped”.
The types of data being input into the app includes passport details, demographic information, and medical and travel history which Citizen Lab says is vulnerable.
The group adds that server responses can also be spoofed, allowing an attacker to display fake instructions to users.
While the information collected is made clear by the app, what is unclear is who this information is shared with according to the analysts. The analysis found that MY2022 fails to validate SSL certificates, therefore failing to validate whom it is sending sensitive, encrypted date to.
The Citizen Lab has highlighted that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.
Censorship
China’s government is well known for censorship of online media within its borders and MY2022 is no exception.
The app includes features that allow users to report politically sensitive content and includes a censorship keyword list, which Citizen Lab says is inactive at the time of writing but targets a variety of political topics including domestic issues such as Xinjiang and Tibet, and references to Chinese government agencies.
The Citizen Lab said: “Our findings analyzing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies.”