An application that visitors to the Olympic Games 2022 in Beijing are forced to download is also a cybersecurity nightmare that threatens to expose much of the data it collects, according to a new report.
MY2022, the mandatory app for visitors to this year’s Wbetween Games, offers a variety of services, including tourist recommendations, Covid-related health monitoring and GPS navigation. It was designed by the Beijing Organizing Committee and is officially owned by a Chinese state-backed company, the Beijing Financial Holdings Group. OWhile the app is meant to provide an amplified visitor experience, researchers found it also collects a wealth of personal information about its users which it apparently spends no effort to secure.
According to a new report digital researchers from the Citizen Lab at the University of Toronto, the app is so insecure that it may violate China’s own data security law, China’s Personal Information Protection Law, Who came into force at the end of last year and is supposed to provide basic data protection for Chinese citizens. The application may also be in violation of Google Unwanted Software Policy, which helps weed out malicious apps from the Android ecosystem, as well as Apple’s App Store guidelines, the report notes.
The researchers looked at version 2.0.0 for iOS and version 2.0.1 for Android, finding that both seemed to suffer from similar shortcomings in how they handle encryption and data transmission.
According to CitizenLab, the application often fails to validate SSL certificates– which means that it does not check where it actually sends the data it transmits. This prepares users for a potential mone-in-the-mMedium cyberattacks, in which an attacker could spoof a connection to a legitimate website and thus steal data sent by the app. At the same time, the researchers discovered that the app also transmits certain types of metadata without any type of SSL encryption or other security protection at all, leaving it wide open to public inspection in some cases.
In summary, despite collecting large amounts of sensitive health and travel information from its users (think passport details, medical history, demographics, etc.), MY2022 lacks safeguards to protect it. Researchers say they disclosed the issues to the Beijing organizing committee more than a month ago on Dec. 3, but never heard back.
We have contacted the Beijing Organizing Committee to comment on this story and will update if they respond.
While the Beijing committee has never responded to Citizen Lab, this do recently released a newer version of the app – 2.0.5 for iOS – which not only doesn’t have fixes all reported security issues, but apparently introduces a new one: The latest version of the app includes a new feature, called Green Health Code, designed to manage travel documents and health data which, like its other features, transmits data in an insecure manner, the researchers write.
“We believe that such a widespread lack of security is less likely to be the result of a broad government conspiracy, but rather the result of a simpler explanation such as different priorities for software developers in China,” write the researchers about security failures..