The official app for Beijing 2022 Winter Olympics, ‘My 2022,’ was found to be insecure when it comes to protecting the sensitive data of its users.
Most importantly, the app’s encryption system carries a significant flaw that enables middle-men to access documents, audio, and files in cleartext form.
‘My 2022’ is also subject to censorship based on a list of keywords and has an unclear privacy policy that doesn’t determine who exactly receives and processes all the sensitive data users have to upload to it.
As such, it is violating Google’s software policy and Apple’s App Store guidelines, yet it is available in both stores. Finally, the app violates China’s own laws regarding privacy protection.
Requesting everything
In a detailed report by Citizen Lab, researchers analyzed the ‘My 2022’ app for potential privacy and security issues and found that the app collects the following sensitive information:
Device identifiers and model
Cellular service provider information
Installed apps on the device
WLAN status
Real-time location
Audio information
Device storage access
Location access
This data collection is disclosed in the privacy policy and is required for COVID-19 protection controls, translation services, Weibo integration, and tourism recommendations and navigation.
However, using ‘My 2022’ isn’t optional. All athletes, members of the press, and the audience have to install the app and add their personal information to it.
For domestic users, ‘My 2022’ collects names, national identification numbers, phone numbers, email addresses, profile pictures, and employment information and shares it with the Beijing Organizing Committee for the 2022 Olympics.
For foreigners, ‘My 2022’ collects complete passport information, daily health status, COVID-19 vaccination status, demographic data, and which organization they work for.
Insecure communications
Even more concerning are flaws in the app’s SSL-based encryption that allows rogue connections due to certification validation issues.
According to the findings of Citizen Lab, an attacker may spoof at least five servers and intercept data sent from the app, tricking it into seeing a malicious host as trusted.
As such, all of the sensitive data described in the previous section can be collected by third parties that are out of the Chinese government’s control.
In addition to the server spoofing problem, the analysts found transmitted data is not always encrypted, so some transmissions containing sensitive metadata could be intercepted and read in plaintext form via simple network packet eavesdropping.
Disclosure and response
The severe privacy and security risks discovered by Citizen Labs were reported to the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games on December 3, 2021.
As of today (January 18, 2022), nobody has responded, so the researchers publicly disclosed the flaws.
Yesterday, the app developers released the ‘My 2022’ version 2.0.5, and upon a new round of analysis, it was determined that the reported issues still remain unresolved.
On the question of whether China placed the flaws in the app intentionally, Citizen Labs finds that highly unlikely, considering that the recipient of the data is the Chinese state, and there’s no incentive to create additional backdoors for anyone else.