The required smartphone app that everyone attending next month’s Winter Olympics in China must use has a “simple but devastating flaw” in its encryption which puts voice, file transfer and stored medical data of users at risk, says a Canadian privacy and human rights group.
In a report released today, the University of Toronto’s Citizen Lab says the MY2020 app also allows server responses to be spoofed, allowing an attacker to display fake instructions to users, and a censorship keyword list — inactive in current versions — which targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
However, Citizen Lab doubts the SSL encryption vulnerabilities were deliberately placed. Instead, it notes that insufficient protection of user data is “endemic to the Chinese app ecosystem.” It also points out that the health data users have to enter on the app has to be filed separately anyway with the government of China.
In fact, the report adds, MY2022’s insecure transmission of personal information may constitute a direct violation of China’s privacy laws, in addition to Google’s Unwanted Software Policy and Apple’s App Store guidelines.
The report also points out the Chinese government has taken significant steps to rein in companies’ invasive collections and poor handling of personal information, largely following global approaches to personal data protection.
MY2022 is a combination utility and COVID-19 contact tracing app. It includes tourism recommendations, GPS navigation, and a place for COVID-19-related health information such as vaccination and daily health status.
All international and domestic attendees of the Games are mandated to download the app 14 days prior to their departure for China and to start monitoring and submitting their health status to the app every day.
MY2022 was built by the Beijing Organizing Committee. Public records show the app is owned by a state-owned company called Beijing Financial Holdings Group.
The report says the app is “fairly straightforward” about the types of data it collects from users in its public-facing documents.
However, the app has two flaws: It doesn’t validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data. That can allow an attacker to spoof trusted servers by interfering with the communication between the app and those servers, says the report. Although researchers found that some connections were not vulnerable, they found that SSL connections to at least five servers are vulnerable.
Second, there are data transmissions that MY2022 fails to protect with any encryption. For example, researchers found that MY2022 transmits non-encrypted data to “tmail.beijing2022.cn” — one of the vulnerable servers mentioned above — on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers. “Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company,” the report says.
On December 3, 2021, the security issues were disclosed to the Beijing Organising Committee for the 2022 Olympic and Paralympic Winter Games. As of January 18 there was no response.
On January 17 the developers released version 2.0.5 of the iOS version of MY2022 to Apple’s App Store. The issues hadn’t been fixed. In fact the app introduced a new feature called “Green Health Code” whose data transmissions were similarly vulnerable in that these transmissions were also instrumented using an SSL implementation that failed to validate SSL certificates. The “Green Health Code” feature asks for travel document information and medical history information similar to the information we had already found to be insecurely transmitted by the app’s vulnerable customs health declaration feature.
“Our findings analyzing MY2022, while concerning, are not particularly surprising for apps operating in China and sometimes apps developed by Chinese companies. For many years, China did not have laws or specific agencies that oversee private companies’ collections and protection of personal data,” the report says.