The official app of the Beijing 2022 Winter Olympics, “My 2022”, has proven to be insecure when it comes to protecting its users’ sensitive data.
More importantly, the app’s encryption system has a significant flaw that allows intermediaries to access documents, audio, and files in plain text form.
“My 2022” is also subject to censorship based on a list of keywords and has an unclear privacy policy that does not determine exactly who receives and handles all sensitive data that users must upload to it.
As such, it violates Google’s software policy and Apple’s App Store guidelines, but is available in both stores. Finally, the app violates China’s own privacy laws.
Source: Citizen Lab
ask everything
In a detailed report of Citizen Lab, researchers scanned the “My 2022” app for possible privacy and security issues and found that the app collects the following sensitive information:
- Device identifiers and model
- Cellular Service Provider Information
- Apps installed on the device
- Wireless network status
- Real-time location
- audio information
- Access to device storage
- Access to location
This data collection is disclosed in the privacy policy and is necessary for COVID-19 protection checks, translation services, Weibo integration, tourist recommendations and navigation.
However, using “My 2022” is not optional. All athletes, members of the press and the public must install the app and add their personal information to it.
For national users, “My 2022” collects names, national ID numbers, phone numbers, email addresses, profile pictures and employment information and shares them with the committee of organization of Beijing for the 2022 Olympics.
For foreigners, ‘My 2022’ collects complete passport information, daily health status, COVID-19 vaccination status, demographics and the organization they work for.
Unsecured communications
Even more concerning are flaws in the app’s SSL encryption, which allow unauthorized connections due to certification validation issues.
According to Citizen Lab’s findings, an attacker can spoof at least five servers and intercept data sent from the app, tricking them into viewing a malicious host as trusted.
Thus, all sensitive data described in the previous section may be collected by third parties that are beyond the control of the Chinese government.
In addition to the server spoofing issue, analysts discovered that transmitted data is not always encrypted, so some transmissions containing sensitive metadata could be intercepted and read as plain text via simple eavesdropping. network packets.
Disclosure and Response
The serious privacy and security risks discovered by Citizen Labs were reported to the Beijing Organizing Committee for the 2022 Winter Olympics and Paralympics on December 3, 2021.
To date (January 18, 2022), no one has responded, so researchers have publicly disclosed the flaws.
Yesterday, the developers of the application released version 2.0.5 of “My 2022”, and after a new round of analysis, it was determined that the reported problems were still not fixed.
On whether China intentionally placed the flaws in the app, Citizen Labs finds this highly unlikely, given that the recipient of the data is the Chinese state, and there is no incentive to create additional backdoors for someone else.
- 2022 Winter Olympics live stream: How to watch Beijing Olympics online for free and event schedule
- Zoom security issues: Everything that’s gone wrong (so far)
- Winter Olympics 2022 ice hockey: How to watch Team USA, events and TV schedule
- FBI warns of 2022 Beijing Olympics cyberattack and privacy risks
- How to watch the 2022 Winter Olympics Opening Ceremony – date, time and channel
