‘My 2022,’ the original app for the Beijing 2022 Winter Olympics, was discovered to be un-secure when it came to securing its users’ critical data. The app’s encryption method, in particular, has a serious hole that allows middlemen to view documents, audio, and files in cleartext form.
‘My 2022’ is similarly susceptible to censorship based on a list of keywords, and it has an ambiguous privacy policy that does not specify who receives and handles all of the personal data that users must contribute to it. As a result, it is in violation of Google’s software policy as well as Apple’s App Store requirements, despite the fact that it is published in both stores. Furthermore, the software is in violation of China’s own privacy protection regulations.
Researchers investigated the ‘My 2022’ app for possible privacy and security vulnerabilities in a comprehensive examination by Citizen Lab and discovered that the program captures the following sensitive material: Model and device identifiers, Information on cellular service providers, Apps on the device that have been installed, The current state of WLAN, Location in real-time, Information on audio, Access to the device’s storage, and Access to a certain location.
This information is collected in accordance with the privacy policy and is requested for COVID-19 protective measures, translation services, Weibo integration, and tourism suggestions and guidance. Using ‘My 2022’, on the other hand, is not optional. The app must be downloaded and personal information entered by all athletes, members of the press, and spectators.
‘My 2022’ gathers names, national identity numbers, phone numbers, email addresses, profile images, and employment records from domestic users and transmits data to the Beijing Olympic Organizing Committee. ‘My 2022’ gathers comprehensive passport details, daily health status, COVID-19 vaccination status, demographic information, and the company for which they work for foreigners.
The app’s SSL-based encryption weaknesses, which enable unauthorized connections due to certification validation concerns, are far more alarming. According to Citizen Lab’s research, an adversary may fake at least five servers and intercept data transferred from the app, fooling it into trusting a malicious site.
As a result, all of the sensitive information stated in the preceding section can be gathered by third parties who are not under the jurisdiction of the Chinese government. Aside from the server spoofing issue, the researchers discovered that sent data is sometimes not encrypted, which means that some transmissions containing important metadata could be captured and read in clear text by simple network packet sniffing.
On December 3, 2021, Citizen Labs notified the significant privacy and security vulnerabilities uncovered to the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games. Nobody has reacted as of today (January 18, 2022), so the faults have been publicly exposed by the researchers.
The app creators released version 2.0.5 of ‘My 2022’ yesterday, and a new round of investigation revealed that the reported flaws are still unsolved. Citizen Labs believes it’s highly improbable that China put the faults in the app on purpose, given that the data’s receiver is the Chinese government, and there’s no motivation to construct extra backdoors for anybody else.