The 2022 Olympics App All Attendees Must Download Is a Security Nightmare, Researchers Find

The 2022 Olympics App All Attendees Must Download Is a Security Nightmare, Researchers Find

An app that visitors to the 2022 Olympics Games in Beijing are obligated to download is also a cybersecurity nightmare that threatens to expose much of the data that it collects, according to a new report.

MY2022, the mandatory app for visitors at this year’s Winter Games, offers a variety of services — including tourism recommendations, Covid-related health monitoring, and GPS navigation. It was designed by the Beijing Organising Committee and is officially owned by a state-backed Chinese company, the Beijing Financial Holdings Group. While the app is supposed to provide an amplified visitor experience, researchers found it also collects a wealth of personal information on its users that it apparently spends zero effort securing.

According to a new report from digital researchers with Citizen Lab at the University of Toronto, the app is so insecure that it may violate China’s own data security law, the Chinese Personal Information Protection Law, which went into effect late last year and is supposed to ensure basic data protections for Chinese citizens. The app may also be in violation of Google’s Unwanted Software Policy, which helps weed out malicious apps in the Android ecosystem, as well as Apple’s App Store guidelines, the report notes.

Researchers looked at version 2.0.0 for iOS and version 2.0.1 for Android, finding that both seemed to suffer from similar deficiencies in how they handle data encryption and transmission.

According to Citizen Lab, the app often fails to validate SSL certificates — meaning that it doesn’t verify where it’s actually sending the data that it transmits. This sets users up for potential man-in-the-middle cyberattacks, in which an attacker could spoof a connection to a legitimate website and thereby thieve data sent by the app. At the same time, researchers found that the app also transmits certain kinds of metadata without any kind of SSL encryption or other security protection at all — leaving it wide open for public inspection in certain cases.

In summation, despite collecting large amounts of sensitive health and travel information on its users (think: passport details, medical history, demographic data, and so on), MY2022 lacks safeguards to protect it. Researchers say they disclosed these issues to the Beijing Organising Committee more than a month ago, on Dec. 3, but never heard back.

We reached out to the Beijing Organising Committee for comment on this story and will update if they respond.

While the Beijing committee never responded to Citizen Lab, it did recently put out a newer version of the app — 2.0.5 for iOS — which not only didn’t fix any of the reported security problems but apparently introduced a new one: The newest version of the app includes a new feature, called Green Health Code, designed to handle travel documents and health data that — like its other features — transmits data insecurely, researchers write.

Given China’s status as a surveillance goliath, it might be tempting to see this shoddy security design as some sort of purposeful Chinese government plot to suck up visitors’ information. And while MY2022 may seem suspicious, Citizen Lab deduces that it might be something wholly less sinister than that. They note that much of the data that has been left vulnerable to theft is already being openly collected by the Chinese government (the app’s privacy policy explains this) — so there would be little reason to implement a surveillance workaround. The report also notes that digital security is not so great in the Chinese app ecosystem overall, and, thus, it might be the case that the MY2022 developers simply created a shitty app, not a sneaky one.

“We believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation such as differing priorities for software developers in China,” researchers write, of the security failures.