Mandatory Olympic Athlete App Gives China Data Goldmine

Less than a week after Team USA advised Olympic athletes to purchase disposable “burner” phones to thwart Chinese surveillance of the Beijing Winter Olympics, researchers at the University of Toronto are warning of serious security issues in the “MY2022” smartphone app China is requiring all athletes, journalists, and spectators to download on their smartphones.

Citizen Lab, the University of Toronto’s cybersecurity watchdog group, said on Tuesday the MY2022 app “has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped.”

“Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users,” Citizen Lab found.

Furthermore, while MY2022 greets users with friendly cartoons and “fairly straightforward” requests for information relevant to attending the Olympics, Citizen Lab discovered it also “collects a range of highly sensitive medical information” and forwards it to parties unknown.

“One of the functions MY2022 includes is to collect a list of medical information for health monitoring, which includes users’ daily self-report health status, COVID-19 vaccination status, and COVID-19 lab test results,” the researchers noted. 

The app also includes a tool for reporting “politically sensitive” content to Chinese authorities, and it has a secret “censorship keyword list” with 2,442 entries targeting topics such as Tibetan Buddhism, the Uyghurs of Xinjiang province, the Tiananmen Square massacre, infighting between Communist Party elites, and criticism of the Chinese state. 

Vague objections from the IOC (yes, that IOC)
*versus*
tech evidence methodically collected by @citizenlab, which has published numerous evidence-based reports on China-based apps for over a decade, & whose findings can be independently confirmed. https://t.co/63C18b85ty
hmm

— profdeibert (@RonDeibert) January 18, 2022

Citizen Lab said the censorship keyword list is “presently inactive,” but that could change by the time the Games begin. MY2022 has built-in text and voice chat tools that could be subjected to censorship.

The report authors speculated the censorship keyword list – contained in a plain text file called “illegalwords.txt” they discovered without much effort – might have been included with MY2022 installations as a clumsy mistake. The list of banned words could also be intended for use by an updated version of the app that will be distributed closer to the beginning of the Games.

The authors also entertained the possibility that MY2022 was designed with censorship features that were “intentionally disabled in a bid to hide the extent of China’s censorship regime from outsiders,” or under pressure from the International Olympic Committee (IOC).

The University of Toronto team dug into MY2022’s privacy policies and found that, like many other Chinese apps, there are “several scenarios” in which app is programmed to disclose private information without the user’s consent – including, but not limited to, “national security matters, public health incidents, and criminal investigations.”

The Chinese Communist Party has a habit of declaring everything a “national security matter,” so this amounts to a blanket license for Chinese intelligence operatives to grab any user data they deem important. Citizen Lab found the privacy policy was rather vague about whether any sort of court order would be required for seizing personal information.

Perhaps most disturbingly, the report found numerous critical security flaws in the app, including obvious flaws like the failure to validate electronic security certificates for secure connections or encrypt sensitive data. A good deal of sensitive data from users’ phones would therefore be vulnerable to “passive eavesdroppers” connected to the same wifi network.

The report noted Chinese apps are generally lax about data security and privacy protection, in part because the Communist government discourages companies from creating layers of app security that could interfere with regime intelligence-gathering and censorship activities.

Citizen Lab said it notified the Beijing Olympic organizing committee of these security flaws on December 3, but has received no response. A new version of MY2022 was uploaded to the Apple App Store on Monday, but it contained no fixes to the problems reported by Citizen Lab.

On the contrary, the latest version introduced a new security flaw – a health code system that asks users to provide travel documents and medical history, and then transmits them to Chinese servers without validating security certificates.

“We find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection,” the report concluded.

The New York Times reported Tuesday that Apple and Google did not respond when asked to comment on the Citizen Labs report.