An app that visitors to the 2022 Olympics Games in Beijing are obligated to download is also a cybersecurity nightmare that threatens to expose much of the data that it collects, according to a new report.
MY2022, the mandatory app for visitors at this year’s Winter Games, offers a variety of services—including tourism recommendations, Covid-related health monitoring, and GPS navigation.
[…]
According to a new report from digital researchers with Citizen Lab at the University of Toronto, the app is so insecure that it may violate China’s own data security law, the Chinese Personal Information Protection Law, which went into effect late last year and is supposed to ensure basic data protections for Chinese citizens. The app may also be in violation of Google’s Unwanted Software Policy, which helps weed out malicious apps in the Android ecosystem, as well as Apple’s App Store guidelines, the report notes.
[…]
the app often fails to validate SSL certificates—meaning that it doesn’t verify where it’s actually sending the data that it transmits. This sets users up for potential man-in-the-middle cyberattacks, in which an attacker could spoof a connection to a legitimate website and thereby thieve data sent by the app. At the same time, researchers found that the app also transmits certain kinds of metadata without any kind of SSL encryption or other security protection at all—leaving it wide open for public inspection in certain cases.
In summation, despite collecting large amounts of sensitive health and travel information on its users (think: passport details, medical history, demographic data, and so on), MY2022 lacks safeguards to protect it.
[…]
They note that much of the data that has been left vulnerable to theft is already being openly collected by the Chinese government (the app’s privacy policy explains this)—so there would be little reason to implement a surveillance workaround. The report also notes that digital security is not so great in the Chinese app ecosystem overall, and, thus, it might be the case that the MY2022 developers simply created a shitty app, not a sneaky one.
[…]
Source: Security Holes Found in My2022 App for Beijing Winter Olympics
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft