A digital security watchdog claims an app that is mandatory for all attendees of the Winter Games in Beijing next month has serious security flaws.
Citizen Lab, an internet watchdog organization, this week published a report on how the MY2022 app, which is mandatory for all games attendees, has a simple but “devastating” flaw where encryption protecting users’ voice audio and file transfers can easily be hacked and sidestepped.
“Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable,” the reports states. “Server responses can also be spoofed, allowing an attacker to display fake instructions to users.”
The authors of the report note that the MY2022 app is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
“MY2022 includes features that allow users to report ‘politically sensitive’ content,” according to the report. “The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.”
Citizen lab said it find the “app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.”
The authors said that their findings were not entirely surprising.
“In light of our previous research, our findings analyzing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies.”