An app that those participating in next month’s Beijing Olympics must install on their phones poses serious security risks for personal information and raises censorship concerns due to more than 2,400 flagged words, an analysis by a Toronto research lab has found.
The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy released a report Tuesday detailing major concerns about the app, MY2022, such as the possibility of files and audio recordings being easily intercepted by third parties.
“MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped,” reads the analysis.
“Health customs forms, which transmit passport details, demographic information, and medical and travel history are also vulnerable.”
Athletes, journalists and spectators at the Beijing Winter Games next month must install the app on their phones. The app belongs to Beijing Financial Holdings Group, which is owned by the Chinese government. Among its features are tourist information and GPS tracking.
Part of its function is to monitor the health of participants related to COVID-19, including vaccination status, passport information and other personal details for international users. The report said that, according to the official Olympics Games Playbook, such information can be processed by Chinese government authorities and Beijing Organizing Committee.
But, according to the Citizen Lab analysis, the app does not validate secure sockets layer certificates (SSL), which tell browsers and apps if a website is authentic and how to establish an encrypted connection with it.
The issue means people using the app can easily be redirected to fake websites seeking personal information if they click on a link that hasn’t been securely transmitted, said Citizen Lab research associate Jeffrey Knockel.
“If you don’t check that, you end up with this really amazing encryption but it’s not between you and the person you want it to be between,” Knockel said. “It’s between possibly an attacker who’s intercepting all this data and reading it.”
He said this could leave users open to phishing attacks, identity theft or even sensitive information being used to blackmail them.
Other features of the app enable users to report “politically sensitive” content via its messaging function and include a keyword list of topics the Chinese government might consider problematic.
The analysis found the app contained a file with the android version labelled illegalwords.txt, containing 2,442 keywords considered largely politically sensitive in China.
Words on the list were related to issues such as the alleged genocide in the Xinjiang Uyghur Autonomous Region and Tibet. Keywords on the list include “CCP evil” and “the Holy Quran.”
The report said it is “unclear” if the censoring capabilities are entirely inactive and pointed out such lists are common in China-developed software. Knockel said it could be activated in a future version, which could censor messages containing keywords.
The analysis broaches the question of whether the weak points in the app were intentionally placed there by the developers. It said much of the data the app would be used to gather, such as health information, has already been submitted to Chinese authorities directly by users anyway, and adds such shortcomings are “endemic the Chinese app ecosystem.”
It said the Beijing Organizing Committee was made aware of the issues, but did not respond and had not fixed them two weeks after being notified.
“We’re still hoping that the developers fix these issues,” Knockel said.
As for advice to those using the app?
“There’s no simple one thing you can do to protect yourself. But try to use the app on a network that you trust.”
Jeremy Nuttall is a Vancouver-based investigative reporter for the Star. Follow him on Twitter: @Nuttallreports