The official app for the 2022 Beijing Winter Olympics, which is called “My 2022,” was found to be insecure and compromising privacy.
The app’s encryption system is vulnerable to exploitation, which enables middle-men to easily access sensitive documents and audio. Besides violating the terms of service of both Google and the App Store, this app is also violating China’s own privacy laws.
Citizen Lab researchers analyzed the app and discovered that it collected sensitive information such as email addresses and phone numbers, the app also collected details about the device’s location and its cellular service provider.
All athletes, officials, and members of the press are required to install the app and submit their personal information.
For domestic users, the app collects names, national identification numbers, email addresses, phone numbers, and more. It also shares these details with the 2022 Beijing Olympics’ organizers.
For foreigners, the app collects their passport details, daily health status, COVID-19 vaccination status, employer, and demographic data.
The app is also vulnerable to exploitation due to the app’s weak SSL-based encryption and certification validation. This issue can allow rogue connections to get established.
According to Citizen Lab, an attacker could potentially intercept the data sent by the app to multiple servers. The app’s server spoofing issue allows an attacker to read encrypted data in plain text.
The sensitive data that the app collects can be obtained by third parties, which are not under the control of the Chinese government.
The concerns about the app’s security were reported to the Beijing Olympic Committee on December 3, 2021.
After not receiving a response from the organizers, Citizen Lab publicized the details of the app’s security flaws on January 18.
After reviewing the app’s latest version, which was released on February 17, the researchers determined that the reported issues still remain unresolved.