IOC defends China Olympics app after 'devastating flaw' revealed

The International Olympic Committee (IOC) has defender China’s MY2022 app for the Olympic Games in Beijing after researchers found it contained a "devastating" encryption flaw.

Due to the pandemic, China has decided to implement a “closed-loop” management system and daily testing. All international and domestic attendees are mandated to download MY2022 14 days prior to their departure for China and to start monitoring and submitting their health status to the app on a daily basis.

However, the flaw allows encryption protecting users’ voice audio and file transfer to be trivially sidestepped, according to new research from Citizen Lab. The app fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and servers. This means it can be deceived into connecting to a malicious host, allowing information it transmits to be intercepted and enabling the app to display spoofed content that appears to originate from trusted servers.

The researchers also found that some sensitive data is transmitted without any SSL encryption or any security at all. It transmits non-encrypted data to “tmail.beijing2022.cn” on port 8099 which contain sensitive metadata relating to messages, such as the names of messages’ senders and receivers, and their user account identifiers. This data can be read by any passive eavesdropper, such as someone operating an unsecured WiFi access point or an Internet Service Provider.

The report said the app collects a range of highly sensitive medical information and it is unclear with whom or which organisations it shares this information. It also contains features that allow users to report politically sensitive content, and contains a censorship keyword list which is presently inactive. The keywords target political topics such as Xinjiang and Tibet as well as reference to Chinese government agencies.

Citizen Lab stated that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.

The IOC told IT Pro that the user is in control over what the app can access on their device, as the settings can be changed to configure access to specific features like Files and Media, Camera, Contacts, Microphone, and more.

“The app has received approval of the Google Play store (Android/HarmonyOS) and the App Store (iOS) too and is available for download,” said the spokesperson. “It is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead.”

The IOC added that it has conducted independent third-party assessments on the application from two cyber security testing organisations, with the reports confirming that there are no critical vulnerabilities. It said that many of the app’s features are used for local Beijing 2022 workforce for time-keeping, task management, and instant messaging, as the app is not only for international users.

The IOC has requested the report from Citizen Lab to understand its concerns better. IT Pro has contacted Google and Apple for comment.