China’s app for Olympic athletes has security flaws, censorship-sensitive language, says Canadian report

According to a new study by Canadian researchers, apps that are required to be used by all participants in the 2022 Winter Olympics have the flaw of being able to circumvent sensitive data encryption. According to a survey, the app also censors words related to human rights abuses by ethnic and religious minority groups by Chinese authorities.

Citizen Lab, the Global Security Institute of the University of Toronto’s Munk School of Global Affairs and Public Policy, Announced research January 18th, analyze the MY2022 app. All participants in the Beijing Winter Olympics, including spectators, journalists, and athletes, must install the app to participate in the Olympics.

Concerns about user data leaks

In China, all domestic and foreign participants in the game must download the app 14 days before arrival. Users need to monitor and send their health status daily via the app.

According to a Citizen Lab report, apps that collect a variety of sensitive medical data published by users contain “simple but catastrophic flaws” that make encryption to protect information “easy”. Can be avoided.

“MY2022 fails to verify the SSL certificate and therefore cannot verify the destination of sensitive encrypted data,” writes researcher Jeffrey Knockel.

“This validation failure means that you can be fooled into connecting to a malicious host while believing that your app is a trusted host, allowing your app to intercept the information it sends to the server. “Masu,” he wrote, adding that the vulnerability exists in both apps. iOS and Android versions.

Censored words

MY2022 Description on Apple’s App Store The mobile app says it will provide a variety of communication features, including instant messaging and other travel, accommodation, and food information services.

However, Citizen Lab researchers said, “illegalwords.txtBundled with the Android version of MY2022, according to the Institute, it contains a list of over 2,400 keywords that are generally considered politically sensitive by the ruling Chinese Communist Party (CCP).

The list of discontinued keywords included the terms “Falun Gong,” “World Uyghur Congress,” “Freedom in Tibet,” and “Tiananmen Square Incident.” I have committed.

This list also includes the Chinese terminology for this publication, The Epoch Times, and its sister media, the New Tang Dynasty Television.

Citizen Lab said it is noteworthy that the list also includes neutral references to the names of current and former Chinese leaders and government agencies.

Most of the prohibited keywords are listed in Simplified Chinese, and some are in Tibetan, Uighur, Traditional Chinese, and English. Most of the keywords refer to pornography, blasphemous words, and illegal products. These are also banned in other Chinese apps discovered by Citizen Lab. In previous studies..

“Internet platforms operating in China are legally required to control the content transmitted through the platform and face penalties,” Knockel wrote.

“The vague definition of prohibited content is often referred to as’pocket crime’, which refers to the fact that authorities can consider any action a crime. Such crimes are being used by the Chinese government to limit political and religious expression on the Internet. “

no reply

Citizen Lab said it had notified the Beijing Organizing Committee of the 2022 Olympic and Paralympic Winter Games about the MY2022 security issue on December 3, 2021. As of January 18, 2022, the Institute has not received a response. The app developer also released an update on January 17, 2022, but said the vulnerability remained unresolved.

The institute added that China has historically Weakening encryption technology It was known to “use unencrypted network communications to launch man-in-the-middle attacks” in order to “perform political censorship and surveillance.”

This raises the question, “Is the encryption of MY2022 intentionally disturbed for monitoring purposes, or was the flaw caused by the developer’s fault?”, But the data collected through the app is already done directly. Therefore, it has been reported that there is a problem if you intentionally interfere with the encryption of MY2022. Submitted to the government.

“The weakness in the encryption of health customs information may have been ancillary damage by intentionally weakening the encryption of other types of data that the Chinese government is interested in intercepting, but I Our previous research suggests that user data is inadequately protected and is unique to China’s app ecosystem. “

“Some work is intentionally inadequate in the security of software found in Chinese apps, but such a widespread lack of security is a major government conspiracy. It’s likely the result of a simpler explanation, such as a difference in priorities, rather than the result of a Chinese software developer. “

Andrew Chen


Andrew Chen is a Toronto-based Epoch Times reporter.