Security flaws discovered in My2022 app for Beijing Winter Olympics

Image of article titled 2022 Olympics app that all participants must download is a security nightmare, researchers say

Photo: Pavlo Gonchar/SOPA Images/LightRocket (Getty Images)

An application that visitors to the Olympic Games 2022 in Beijing are forced to download is also a cybersecurity nightmare that threatens to expose much of the data it collects, according to a new report.

MY2022, the mandatory app for visitors to this year’s Wbetween Games, offers a variety of services, including tourist recommendations, Covid-related health monitoring and GPS navigation. It was designed by the Beijing Organizing Committee and is officially owned by a Chinese state-backed company, the Beijing Financial Holdings Group. OWhile the app is meant to provide an amplified visitor experience, researchers found it also collects a wealth of personal information about its users which it apparently spends no effort to secure.

According to a new report digital researchers from the Citizen Lab at the University of Toronto, the app is so insecure that it may violate China’s own data security law, China’s Personal Information Protection Law, Who came into force at the end of last year and is supposed to provide basic data protection for Chinese citizens. The application may also be in violation of Google Unwanted Software Policy, which helps weed out malicious apps from the Android ecosystem, as well as Apple’s App Store guidelines, the report notes.

The researchers looked at version 2.0.0 for iOS and version 2.0.1 for Android, finding that both seemed to suffer from similar shortcomings in how they handle encryption and data transmission.

According to CitizenLab, the application often fails to validate SSL certificates– which means that it does not check where it actually sends the data it transmits. This prepares users for a potential mone-in-the-mMedium cyberattacks, in which an attacker could spoof a connection to a legitimate website and thus steal data sent by the app. At the same time, the researchers discovered that the app also transmits certain types of metadata without any type of SSL encryption or other security protection at all, leaving it wide open to public inspection in some cases.

In summary, despite collecting large amounts of sensitive health and travel information from its users (think passport details, medical history, demographics, etc.), MY2022 lacks safeguards to protect it. Researchers say they disclosed the issues to the Beijing organizing committee more than a month ago on Dec. 3, but never heard back.

We have contacted the Beijing Organizing Committee to comment on this story and will update if they respond.

While the Beijing committee has never responded to Citizen Lab, this do recently released a newer version of the app – 2.0.5 for iOS – which not only doesn’t have fixes all reported security issues, but apparently introduces a new one: The latest version of the app includes a new feature, called Green Health Code, designed to manage travel documents and health data which, like its other features, transmits data in an insecure manner, the researchers write.

Given China’s status as a a surveillance giant, it might be tempting to view this shoddy security design as some kind of deliberate Chinese government plot to suck up visitors’ information. And while MY2022 may seem suspicious, Citizen Lab infers that it could be something altogether less sinister than that. They note that much of the data that has been left vulnerable to theft is already openly collected by the Chinese government (the app’s privacy policy explains this) – so there would be little reason to implement a monitoring workaround. The report also notes that digital security is not so great in the Chinese app ecosystem. globally, and, therefore, it could be that the developers of MY2022 just created a crappy app, not a sneaky one.

“We believe that such a widespread lack of security is less likely to be the result of a broad government conspiracy, but rather the result of a simpler explanation such as different priorities for software developers in China,” write the researchers about security failures..