Investigators find Beijing 2022 app riddled with security flaws

My2022, the companion mobile app for the upcoming Beijing 2022 Winter Olympics, which the Chinese authorities have allegedly mandated all participants and attendees download to their mobile devices, is riddled with cyber security flaws leaving it wide open to exploitation

This is according to researchers at Canada’s Citizen Lab, an interdisciplinary laboratory based at the University of Toronto’s Munk School of Global Affairs and Public Policy – which came to prominence in 2021 for its role in exposing multiple governments’ illicit and unethical use of Pegasus, a “legitimate” spyware app.

The My2022 app is billed as a multipurpose service, incorporating functionality such as real-time chat, including voice audio chat, file transfers, and news and weather updates.

For visitors to China including accredited media and athletes, it also serves as a means to submit the health information that is now required to enter the country, such as Covid-19 vaccination records, test results, and once in China, daily self-reports.

According to Citizen Lab, the most significant security vulnerability relates to the app’s failure to properly validate SSL certificates, which means it cannot validate to whom it is sending sensitive user data. This leaves it open to a man-in-the-middle attack, where a malicious actor can spoof a trusted server by intercepting the communications and deceiving the user’s device into connecting to the compromised server.

Citizen Lab also found that My2022 app transmits some sensitive data without any form of SSL encryption or other security measures at all. This data includes metadata relating to messages, including the names of senders and receivers and their account IDs. This data could be read by any “passive eavesdropper”, for example, someone in range of an unsecured Wi-Fi access point, a Wi-Fi hotspot owner, or, of greater concern, a communications services provider (CSP).

Citizen Lab’s Jeffrey Knockel said the organisation disclosed these vulnerabilities to the Beijing games organising committee on 3 December 2021 but had not received any response. An updated version of the app released to Apple’s App Store on 17 January 2022 did not fix the issues and introduced a new health status reporting feature that also failed to securely transmit data.

Knockel’s team also found issues with the app’s privacy policy, which while reasonably clear in many regards, does not always specify the organisations or entities it may share a user’s confidential health data with, which may be a legitimate source of concern to some travellers to China.

They also found evidence that the app contains blocking and censorship measures, uncovering a list of banned keywords covering political topics related to China.

However, Citizen Lab stopped short of saying the vulnerabilities were intentionally placed at the behest of the Chinese government. Even though China does openly use technology to conduct illicit surveillance and legitimate concerns do exist over the security of software developed by Chinese companies (such as TikTok), there was in this instance no point in Beijing intercepting data – such as the Covid-19 status of visitors – that it would be collecting anyway at the visitor’s port of entry.

“Our prior work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem,” wrote Knockel. “While some work has ascribed intentionality to poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation such as differing priorities for software developers in China.”

He added that it was worth noting the Chinese government has taken “significant steps” to rein in the invasive collection of personal data by Chinese companies – note the introduction of its GDPR-like PIPL laws last year. Indeed, he added, My2022’s insecure transmission of data may actually violate China’s new privacy laws. It certainly violates the Ts&Cs app developers must adhere to to be listed on the Google Play Store and Apple App Store.

“In light of our previous research, our findings analysing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies,” wrote Knockel.

“While we found glaring and easily discoverable security issues with the way that MY2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese Web browsers.”