An app that all attendees of the Beijing 2022 Winter Olympics must use has a flaw that allows the encryption of sensitive data to be sidestepped and also censors words related to the Chinese regime’s human rights abuses of ethnic and religious minority groups, according to a Canadian study.
Citizen Lab, a global security research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy, published the study on Jan. 18 that analyzed the app, called MY2022.
All attendees of the Beijing Winter Olympics, including athletes, audience members, and journalists are required to install the app to attend the Games, which begin Feb. 4.
Concerns of User Data Leaks
China requires all international and domestic attendees of the Games to download the app 14 days prior to their arrival. Users must monitor and submit their health status through the app on a daily basis.
The Citizen Lab report says the app—which collects the users’ public-facing documents and a range of highly sensitive medical data—contains a “simple but devastating flaw,” allowing the encryption that protects the information to be “trivially sidestepped.”
“MY2022 fails to validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data,” study author Jeffrey Knockel wrote.
“This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted,” he wrote, adding that the vulnerabilities exist in both the app’s iOS and Android versions.
MY2022’s description on Apple’s App Store says the mobile app provides a wide range of communication functions such as instant messaging and other information services for travel, accommodations, and food.
But Citizen Lab’s researchers discovered a file named “illegalwords.txt” bundled with MY2022’s Android version, which includes a list of more than 2,400 keywords that are generally considered politically sensitive by the ruling Chinese Communist Party (CCP), the institute said.
Among the list of censored keywords were the terms “Falun Gong,” “World Uyghur Congress,” “Tibet Freedom,” and “Tiananmen massacre”—words referring to ethnic and religious minority groups persecuted by the CCP and human rights atrocities the regime has committed.
The list also includes the Chinese terms for The Epoch Times, and its sister media outlet NTD. Neutral references to the names of current and former Chinese leaders as well as government agencies also are listed, the report states.
Most of the banned keywords are listed in simplified Chinese, with a small portion in Tibetan, Uyghur, traditional Chinese, and English. The majority of the keywords are referencing pornography, swear words, and illegal goods, which are similarly prohibited on other Chinese apps that Citizen Lab said it has found in previous studies.
“Internet platforms operating in China are legally required to control content communicated over their platforms or face penalties,” Knockel wrote.
“Vague definitions of prohibited content are often called ‘pocket crimes’ referring to authorities being able to deem any action as an offense. Such crimes are utilized by the Chinese government to restrict political and religious expression over the Internet.”
Citizen Lab said it informed the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games of the MY2022 security issues on Dec. 3, 2021. As of Jan. 18, it had not received a response. The lab also noted that while the app developers released an update on Jan. 17, the vulnerabilities remained unresolved.
China has historically undermined encryption technology to “perform political censorship and surveillance” and has been known to exploit “unencrypted network communications to launch man-in-the-middle attacks,” Knockel said.
While that raises questions about whether MY2022’s encryption was “intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence,” Knockel said the case for deliberate sabotaging of MY2022’s encryption is problematic, as data collected through the app is already being directly submitted to the government.
“While it is possible that weakness in the encryption of health customs information was collateral damage from the intentional weakening of the encryption of other types of data that the Chinese government would have an interest in intercepting, our prior work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem,” he wrote.
“While some work has ascribed intentionality to poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation, such as differing priorities for software developers in China.”