China's app for Olympic athletes has security flaws, study finds
The mandatory app athletes and attendees of the Beijing Winter Olympics will use to report their health and travel data contains an encryption flaw that could expose their passport details, demographic information and medical and travel information, according to a study by Citizen Lab.
Why it matters: The security defect could imperil data security for those taking part in this year's Winter Games, which are set to begin on Feb. 4. Censorship mechanisms embedded in the app also raise concerns about social and political surveillance by China's government.
The big picture: Though Citizen Lab, a Toronto University-based security watchdog, disclosed its security analysis of the app to the Beijing Organising Committee on Dec. 3, it said it still has not received a response as of Jan. 18.
- In addition to allowing users to submit their health and travel information, the app has real-time and voice auto chat functions, news and weather updates and file transfer systems.
- Citizen Lab said the app allows users to report "politically sensitive" content, while its coding contains a list of keywords — many of which pertain to Uyghur and Tibetan issues — that have been marked for censorship, though the list is currently inactive.
What they're saying: "MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information," Citizens Lab said in the report.
- "While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," it added.
The International Olympic Committee told Axios that it allowed two independent third-party assessments on the application from cyber-security testing organizations, which found that the app contains no critical vulnerabilities.
- It also said users are allowed to configure the app to disable access to certain functions, such as files and media, camera, contacts, location and microphone.
- "We have requested the report of Citizen Labs to understand their concerns better," the IOC said.
Editor's note: This article was updated with comment from the IOC.