Mandatory app at Chinese Olympics collects data but doesn’t keep it securely

9to5mac.com/2022/01/18/chinese-olympics-app-security-holes/

Mandatory Chinese Olympics app collects personal data, has two security holes

Ben Lovejoy

– Jan. 18th 2022 7:03 am PT

@benlovejoy

Use of the Chinese Olympics app, MY2022, is mandatory for everyone attending this year’s Olympic Games in Beijing, whether as an athlete or simply watching from the stadium.

The app collects sensitive personal data – like passport details, medical data, and travel history – and analysis by security researchers reveals that the code has two security holes that could expose this information …

Citizen Lab, which has also played a key role in identifying phones compromised by Pegasus spyware, carried out the analysis.

Due to the COVID-19 pandemic, China has decided to implement a “closed-loop” management system and daily testing. Additionally, all international and domestic attendees of the Games are mandated to download MY2022 14 days prior to their departure for China and to start monitoring and submitting their health status to the app on a daily basis […]

[We found] two security vulnerabilities in MY2022 related to the security of the transmission of user data. First, we describe a vulnerability in which MY2022 fails to validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data. Second, we describe data transmissions that MY2022 fails to protect with any encryption.

Although the app uses SSL, it doesn’t validate certificates.

Our analysis found that MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers. This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted and allowing the app to display spoofed content that appears to originate from trusted servers.

Worse, some data is not encrypted at all – including details of who is communicating with whom.

We also found that some sensitive data is transmitted without any SSL encryption or any security at all. We found that MY2022 transmits non-encrypted data to “tmail.beijing2022.cn” on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers.

Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company.

Additionally, the Android version contains a list of banned words – though this is not yet being actively used.

Bundled with the Android version of MY2022, we discovered a file named “illegalwords.txt” which contains a list of 2,442 keywords generally considered politically sensitive in China. However, despite its inclusion in the app, we were unable to find any functionality where these keywords were used to perform censorship. It is unclear whether this keyword list is entirely inactive, and, if so, whether the list is inactive intentionally. However, the app contains code functions designed to apply this list toward censorship, although at present these functions do not appear to be called. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.