My2022, the companion mobile app for the upcoming Beijing 2022 Winter Olympics, which the Chinese authorities have allegedly mandated all participants and attendees download to their mobile devices, is riddled with cyber security flaws leaving it wide open to exploitation
This is according to researchers at Canada’s Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy – which came to prominence in 2021 for its role in exposing multiple governments’ illicit and unethical use of Pegasus, a “legitimate” spyware app.
The My2022 app is billed as a multipurpose service, incorporating functionality such as real-time chat, including voice audio chat, file transfers, and news and weather updates.
For visitors to China including accredited media and athletes, it also serves as a means to submit the health information that is now required to enter the country, such as Covid-19 vaccination records, test results, and once in China, daily self-reports.
According to Citizen Lab, the most significant security vulnerability relates to the app’s failure to properly validate SSL certificates, which means it cannot validate to whom it is sending sensitive user data. This leaves it open to a man-in-the-middle attack where a malicious actor can spoof a trusted server by intercepting the communications and deceiving the user’s device into connecting to the compromised server.
Citizen Lab also found that My2022 app transmits some sensitive data without any form of SSL encryption or other security measures at all. This data includes metadate relating to messages, including the names of senders and receivers and their account IDs. This data could be read by any “passive eavesdropper” for example someone in range of an unsecured Wi-Fi access point, a Wi-Fi hotspot owner, or of greater concern, a communications services provider (CSP).
Citizen Lab’s Jeffrey Knockel said the organisation disclosed these vulnerabilities to the Beijing games organising committee on 3 December 2021 but had not received any response. An updated version of the app released to Apple’s App Store on 17 January 2022 did not fix the issues and introduced a new health status reporting feature that also failed to securely transmit data.
Knockel’s team also found issues with the app’s privacy policy, which while reasonably clear in many regards does not always specify what organisations or entities it may share a user’s confidential health data, which may be a legitimate source of concern to some travellers to China.
They also found evidence that the app contains blocking and censorship measures, uncovering a list of banned keywords covering political topics related to China.
However, Citizen Lab stopped short of saying that the vulnerabilities were intentionally placed at the behest of the Chinese government. Even though China does openly use technology to conduct illicit surveillance and legitimate concerns do exist over the security of software developed by Chinese companies (such as TikTok) there was in this instance no point in Beijing intercepting data – such as the Covid-19 status of visitors – that it would be collecting anyway at the visitor’s port of entry.
“Our prior work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem. While some work has ascribed intentionality to poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation such as differing priorities for software developers in China,” wrote Knockel.
He added it was worth noting that the Chinese government has taken “significant steps” to rein in the invasive collection of personal data by Chinese companies – note the introduction of its GDPR-like PIPL laws last year. Indeed, he added, My2022’s insecure transmission of data may actually violate China’s new privacy laws. It certainly violates the Ts&Cs app developers must adhere to to be listed on the Google Play Store and Apple App Store.
“In light of our previous research, our findings analysing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies,” wrote Knockel.
“While we found glaring and easily discoverable security issues with the way that MY2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese Web browsers.”
IOC pushes back
The International Olympic Committee (IOC) has pushed back against Citizen Lab’s report, saying that contra to its report, it was not compulsory for visitors to use My2022 – as attendees can also access services such as Covid-19 monitoring and tracking via a website.
The organisation also said it was possible for users to configure the app to deny it access to files and media, their device’s camera and microphone, and location data, among other things.
Chris Hauk, consumer privacy champion at Pixel Privacy, said: “Users should share as little information as possible with the app, and are also advised to make sure their login and password information is different from that used on other apps, websites, and other users. Users should also delete the app from their devices as soon as possible. At the very least, uninstall it after clearing Chinese airspace, in order to protect against any possible hacking attempts in the future.”
Chris Olson, CEO at the Media Trust, an enterprise digital safety platform, said the issues in My2022 spoke to wider problems in the mobile app ecosystem: “Not all mobile apps are susceptible to man-in-the-middle attacks, but most of them do contain undisclosed third parties who can access the same user data as the developer.
“Mobile users frequently assume that they are safe either because of app store policies, or because they have consented to terms of service but third parties are not carefully checked by app reviewers, and they are rarely monitored for safety. They can be hijacked to execute phishing attacks, share sensitive data with fourth or fifth parties, suffer a data breach caused by lax security practices, or worse.”
Ahead of Citizen Lab’s disclosures, the British Olympic Association (BOA) has previously warned visiting athletes to leave their personal devices in the UK before travelling to China, and offered them the use of so-called burner phones for the duration of their trip. The Dutch Olympic Committee has taken similar steps.
