IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IOC defends China Olympics app after 'devastating flaw' revealed

The app may even be breaking Google and Apple’s app store policies when it comes to privacy, according to Citizen Lab

The International Olympic Committee (IOC) has defender China’s MY2022 app for the Olympic Games in Beijing after researchers found it contained a "devastating" encryption flaw. 

Due to the pandemic, China has decided to implement a “closed-loop” management system and daily testing. All international and domestic attendees are mandated to download MY2022 14 days prior to their departure for China and to start monitoring and submitting their health status to the app on a daily basis.

However, the flaw allows encryption protecting users’ voice audio and file transfer to be trivially sidestepped, according to new research from Citizen Lab. The app fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and servers. This means it can be deceived into connecting to a malicious host, allowing information it transmits to be intercepted and enabling the app to display spoofed content that appears to originate from trusted servers.

The researchers also found that some sensitive data is transmitted without any SSL encryption or any security at all. It transmits non-encrypted data to “tmail.beijing2022.cn” on port 8099 which contain sensitive metadata relating to messages, such as the names of messages’ senders and receivers, and their user account identifiers. This data can be read by any passive eavesdropper, such as someone operating an unsecured WiFi access point or an Internet Service Provider.

The report said the app collects a range of highly sensitive medical information and it is unclear with whom or which organisations it shares this information. It also contains features that allow users to report politically sensitive content, and contains a censorship keyword list which is presently inactive. The keywords target political topics such as Xinjiang and Tibet as well as reference to Chinese government agencies.

Citizen Lab stated that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.

The IOC told IT Pro that the user is in control over what the app can access on their device, as the settings can be changed to configure access to specific features like Files and Media, Camera, Contacts, Microphone, and more.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

“The app has received approval of the Google Play store (Android/HarmonyOS) and the App Store (iOS) too and is available for download,” said the spokesperson. “It is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead.”

The IOC added that it has conducted independent third-party assessments on the application from two cyber security testing organisations, with the reports confirming that there are no critical vulnerabilities. It said that many of the app’s features are used for local Beijing 2022 workforce for time-keeping, task management, and instant messaging, as the app is not only for international users.

The IOC has requested the report from Citizen Lab to understand its concerns better. IT Pro has contacted Google and Apple for comment.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

India to roll out 6G by end of decade
Network & Internet

India to roll out 6G by end of decade

18 May 2022
Data centres that switch from HDDs to SSDs use 70% less power
data centres

Data centres that switch from HDDs to SSDs use 70% less power

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022
Australia pledges $5 million to create tech skills passport
Careers & training

Australia pledges $5 million to create tech skills passport

11 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022