Investigators find Beijing 2022 app riddled with security flaws

My2022, the companion mobile app for the next Beijing 2022 Winter Olympics, which Chinese authorities allegedly forced all participants to download to their mobile devices, is riddled with cybersecurity flaws, making it wide open for exploitation.

It depends Citizen Lab of Canada researchers, an interdisciplinary lab based at the University of Toronto’s Munk School of Global Affairs and Public Policy – which rose to prominence in 2021 for its role in exposing illicit and unethical use by multiple governments from Pegasus, a “legitimate” spyware application.

The My2022 app is billed as a multi-purpose service, incorporating features such as real-time chat, including voice audio chat, file transfers, and news and weather updates.

For visitors to China, including accredited media and athletes, it also serves as a means to submit the health information that is now required to enter the country, such as Covid-19 vaccination records, test results and , once in China, the daily self-reports. .

According to Citizen Lab, the most significant security vulnerability relates to the application’s inability to properly validate SSL certificates, meaning it cannot validate who it is sending sensitive user data to. This leaves the door open to a man-in-the-middle attack where a malicious actor can spoof a trusted server by intercepting communications and tricking the user’s device into connecting to the compromised server.

Citizen Lab has also found that the My2022 app transmits certain sensitive data without any form of SSL encryption or other security measures. This data includes metadata about the messages, including the names of senders and recipients and their account identifiers. This data could be read by any “passive listener”, for example someone within range of an unsecured Wi-Fi hotspot, a Wi-Fi hotspot owner or, more worryingly, a communications service provider (CSP).

Citizen Lab’s Jeffrey Knockel said the organization disclosed the vulnerabilities to the Beijing Games Organizing Committee on Dec. 3, 2021, but received no response. An updated version of the app released on the Apple App Store on January 17, 2022 did not fix the issues and introduced a new health status report feature which also did not. succeeded in transmitting the data securely.

Knockel’s team also found issues with the app’s privacy policy, which, while reasonably clear in many respects, doesn’t always specify which organizations or entities it can share an individual’s confidential health data. user, which may be a legitimate source of concern for some travelers to China.

They also found evidence that the app contains blocking and censorship measures, uncovering a list of banned keywords covering political topics related to China.

However, Citizen Lab refrained from saying that the vulnerabilities were intentionally placed at the request of the Chinese government. Even if China openly uses the technology to conduct illicit surveillance and there are legitimate concerns about the security of software developed by Chinese companies (such as TikTok), in this case there was no interest in Beijing intercepts data – such as visitors’ Covid-19 status – that it would collect anyway at the visitor’s port of entry.

“Our previous work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem. While some works have attributed intentionality to the poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a broad government conspiracy, but rather the result of a simpler explanation such as priorities different for software developers in China,” Knockel wrote.

He added that it’s worth noting that the Chinese government has taken “significant steps” to curb the invasive collection of personal data by Chinese companies – note the introduction of its GDPR-like PIPL laws last year. Indeed, he added, My2022’s insecure transmission of data may actually violate China’s new privacy laws. This certainly violates the terms and conditions that app developers must adhere to in order to be listed on the Google Play Store and Apple’s App Store.

“In light of our previous research, our results analyzing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies,” Knockel wrote.

“While we found glaring and easily detectable security issues with the way MY2022 performs encryption, we also observed similar issues in systems developed in China. Zoom, as good as the most popular Chinese Web browsers.”

The IOC pushes back

The International Olympic Committee (IOC) rebuffed Citizen Lab’s report, saying that contrary to his report, it was not mandatory for visitors to use My2022 – as participants can also access services such as Covid-19 monitoring and tracking via a website.

The organization also said that users can configure the app to deny it access to files and media, their device’s camera and microphone, and location data, among other things.

Chris Hauk, Consumer Privacy Champion at Pixel Privacy, said: “Users should share as little information as possible with the app, and it is also advisable to ensure that their login and password information is different from those used on other apps, websites and other users. Users should also remove the app from their devices as soon as possible. At the very least, uninstall it after clearing Chinese airspace, to protect yourself from possible hacking attempts at the future.

Chris Olson, CEO of the media trust, an enterprise digital security platform, said My2022’s issues relate to broader issues in the mobile app ecosystem: “Not all mobile apps are susceptible to man-in-the-middle attacks, but most of them contain undisclosed third parties who can access the same user data as the developer.

“Mobile users often assume they are safe either because of App Store policies or because they have consented to terms of service, but third parties are not thoroughly vetted by app reviewers and their security is rarely monitored.They can be hijacked to execute phishing attacks, share sensitive data with fourth or fifth parties, suffer a data breach caused by lax security practices, or worse.

Ahead of the Citizen Lab revelations, the British Olympic Association (BOA) previously warned visiting athletes leave their personal devices in the UK before traveling to China, and offered them to use so-called burner phones for the duration of their trip. The Dutch Olympic Committee has taken similar action.

About Donald J. Beadle

Check Also

New Profile Pic app: Does Russia collect personal data from Facebook users?

It’s a new internet craze that turns your Facebook profile picture into a painting or …