January 18, 2022
Report: Chinese Olympic app has serious security flaws
A smartphone app that's expected to be widely used by athletes and others attending next month's Winter Games in Beijing has glaring security problems that could expose sensitive data to interception, according to a report published Tuesday.
Citizen Lab, an internet watchdog group, said in its report the MY2022 app has seriously flawed encryption that would make users' sensitive data—and any other data communicated through it—vulnerable to being hacked. Other important user data on the app wasn't encrypted at all, the report found.
That means the data could be read by Chinese internet service providers or telecommunications companies through Wi-Fi hotspots at hotels, airports and Olympic venues.
The Citizen Lab report said the app was mandatory for attendees of the games, and the International Olympic Committee's official guidance instructs attendees to download the app before they come to China. But the IOC issued a statement Tuesday saying the smartphone app was not compulsory.
The IOC also pushed back against Citizen Lab's report, saying two independent cybersecurity testing organizations had found no critical vulnerabilities with the app.
China is requiring all international Olympic attendees—including coaches and journalists—to log into a health monitoring system at least 14 days before their departure. They can use the app to do so, or can log in through a web browser on a PC. The app allows users to submit required health information on a daily basis and is part of China's aggressive effort to manage the coronavirus pandemic while hosting the games, which begin Feb. 4. The multipurpose app also includes chat features, file transfers, weather updates, tourism recommendations and GPS navigation.
Citizen Lab's report comes amid heightened concerns over athletes' data and privacy. Many countries are advising their athletes not to take their normal smartphones to China, but instead to bring temporary—or burner—phones that do not store any sensitive personal data, according to news reports.
The U.S. Olympic & Paralympic Committee issued an advisory to athletes telling them to "assume that every device and every communication, transaction, and online activity will be monitored."
"There should be no expectation of data security or privacy while operating in China," the advisory said.
China has a well-documented history of conducting muscular surveillance of its citizens and aggressive cyber-spying on others. But Citizen Lab said there was no evidence that the easily discoverable security flaws in the MY2022 app were placed intentionally by the Chinese government. For one, much of the sensitive health information held on the app is required to be submitted directly to authorities on health customs forms, the report said.
Citizen Lab said the security vulnerabilities found in MY2022 app are similar to those found in popular Chinese web browsers and noted that "insufficient protection of user data is endemic to the Chinese app ecosystem."
"In light of previous work analyzing popular Chinese apps, our findings concerning MY2022 are, while concerning, not surprising," the report said.
Citizen Lab said it reported the security issues to the Beijing Organizing Committee last month but did not receive a response. The report also said the app's security flaws could run afoul of Apple's and Google's policies for software used on iPhones and Android devices. The two companies did not immediately return a request for comment.
The Android version of the MY2022 app included a list named "illegalwords.txt" that included 2,442 keywords, including some that could be politically sensitive and relate to China's actions toward Tibet and the Uyghur ethnic group.
The report said despite having the list bundled with the app, it does not appear to function. The Chinese government has long required tech companies to censor content and keywords deemed politically sensitive or inappropriate.
© 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.