Chinese Olympic App Has Serious Security Flaws: Report

A smartphone app that is anticipated to be broadly utilized by athletes and others attending subsequent month’s Winter Games in Beijing has evident safety issues that would expose delicate information to interception, in response to a report revealed Tuesday.

Citizen Lab, an Internet watchdog group, stated in its report the MY2022 app has severely flawed encryption that may make customers’ delicate information — and another information communicated via it — susceptible to being hacked. Other necessary consumer information on the app wasn’t encrypted in any respect, the report discovered.

That means the info may very well be learn by Chinese Internet service suppliers or telecommunications firms via Wi-Fi hotspots at lodges, airports and Olympic venues.

The Citizen Lab report stated the app was obligatory for attendees of the video games, and the International Olympic Committee’s official steerage instructs attendees to obtain the app earlier than they arrive to China. But the IOC issued an announcement Tuesday saying the smartphone app was not obligatory.

The IOC additionally pushed again in opposition to Citizen Lab’s report, saying two unbiased cybersecurity testing organisations had discovered no crucial vulnerabilities with the app.

China is requiring all worldwide Olympic attendees — together with coaches and journalists — to log right into a well being monitoring system no less than 14 days earlier than their departure. They can use the app to take action, or can log in via a Web browser on a PC. The app permits customers to submit required well being info each day and is a part of China’s aggressive effort to handle the coronavirus pandemic whereas internet hosting the video games, which start February 4. The multipurpose app additionally consists of chat options, file transfers, climate updates, tourism suggestions and GPS navigation.

Citizen Lab’s report comes amid heightened considerations over athletes’ information and privateness. Many nations are advising their athletes to not take their regular smartphones to China, however as an alternative to convey short-term — or burner — telephones that don’t retailer any delicate private information, in response to information experiences.

The US Olympic & Paralympic Committee issued an advisory to athletes telling them to “assume that every device and every communication, transaction, and online activity will be monitored.”

“There should be no expectation of data security or privacy while operating in China,” the advisory stated.

China has a well-documented historical past of conducting muscular surveillance of its residents and aggressive cyber-spying on others. But Citizen Lab stated there was no proof that the simply discoverable safety flaws within the MY2022 app had been positioned deliberately by the Chinese authorities. For one, a lot of the delicate well being info held on the app is required to be submitted on to authorities on well being customs kinds, the report stated.

Citizen Lab stated the safety vulnerabilities present in MY2022 app are much like these present in common Chinese Web browsers and famous that “insufficient protection of user data is endemic to the Chinese app ecosystem.”

“In light of previous work analysing popular Chinese apps, our findings concerning MY2022 are, while concerning, not surprising,” the report stated.

Citizen Lab stated it reported the safety points to the Beijing Organizing Committee final month however didn’t obtain a response. The report additionally stated the app’s safety flaws might run afoul of Apple’s and Google’s insurance policies for software program used on iPhone handsets and Android gadgets. The two firms didn’t instantly return a request for remark.

The Android model of the MY2022 app included an inventory named “illegalwords.txt” that included 2,442 key phrases, together with some that may very well be politically delicate and relate to China’s actions towards Tibet and the Uyghur ethnic group.

The report stated regardless of having the record bundled with the app, it doesn’t seem to perform. The Chinese authorities has lengthy required tech firms to censor content material and key phrases deemed politically delicate or inappropriate.