Analysts find Chinese app MY2022 may not protect sensitive data entered by users
Add a bookmark
An app mandated to be used by all participants in the 2022 Winter Olympics in Beijing between February 4 and February 20, 2022 has been found to have a significant flaw that leaves much of the sensitive data entered into the app vulnerable .
Cybersecurity group the Citizen Lab said in an article published on January 18, 2022 that the flaw means in the MY2022 application that “encryption protecting users’ voice and file transfers can be trivially circumvented”.
The types of data captured in the app include passport details, demographic information, and medical and travel history which Citizen Lab says is vulnerable.
The group adds that server responses can also be spoofed, allowing an attacker to display false instructions to users.
Although the information collected is clarified by the application, what is not clear is with whom this information is shared according to analysts. Analysis revealed that MY2022 fails to validate SSL certificates, and therefore fails to validate who it sends sensitive and encrypted data to.
Citizen Lab pointed out that the app’s security flaws could not only violate Google’s unwanted software policy and Apple’s App Store guidelines, but also China’s own related national laws and standards. to the protection of privacy, offering potential avenues of redress.
The Chinese government is well known for censoring online media within its borders and MY2022 is no exception.
The app includes features that allow users to flag politically sensitive content and includes a censorship keyword list, which Citizen Lab says is inactive at the time of writing, but targets a variety of political topics, including national issues such as Xinjiang and Tibet, and references to Chinese. government agencies.
Citizen Lab said: “Our results analyzing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies.”