An app mandated for use by all attendees of the Beijing 2022 Winter Olympics has a flaw that allows encryption of sensitive data to be sidestepped, a new study by Canadian researchers says.  The app also censors words related to the Chinese authorities’ human rights abuses of ethnic and religious minority groups, according to the study.

The Citizen Lab, a global security research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy, published the study on Jan. 18, analyzing the MY2022 app. All attendees of the Beijing Winter Olympics are required to install the app to attend the Games, including audiences, members of the press, and the competing athletes.

Concerns of User Data Leaks

China requires all international and domestic attendees of the Games to download the app 14 days prior to their arrival. Users must monitor and submit their health status through the app on a daily basis.

The Citizen Lab report says the app—which collects the users’ public-facing and a range of highly sensitive medical data—contains a “simple but devastating flaw,” allowing the encryption that protects the information to be “trivially sidestepped.”

“MY2022 fails to validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data,” researcher Jeffrey Knockel wrote.

“This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted,” he wrote, adding that the vulnerabilities exist in both the app’s iOS and Android versions.

Censored Words

MY2022’s description on Apple’s App Store says the mobile app provides a wide range of communication functions like instant messaging and other information services for travel, accommodation, and food.

But Citizen Lab’s researchers discovered a file named “illegalwords.txt” bundled with MY2022’s Android version, which includes a list of over 2,400 keywords that are generally considered politically sensitive in the ruling Chinese Communist Party (CCP), the institute said.

Among the list of censored keywords were the terms “Falun Gong,” World Uyghur Congress,” “Tibet Freedom,” and “Tiananmen massacre”—words referring to ethnic and religious minority groups persecuted by the CCP, and human rights atrocities the Chinese regime has committed.

The list also includes the Chinese terms for this publication, The Epoch Times, and its sister media New Tang Dynasty Television.

The Citizen Lab said it is notable that the list also includes neutral references to the names of current and former Chinese leaders as well as government agencies.

Most of the banned keywords are listed in simplified Chinese, with a small portion in Tibetan, Uyghur, traditional Chinese, and English. The majority of the keywords are referencing pornography, swear words, and illegal goods, which are similarly prohibited on other Chinese apps that The Citizen Lab said it has found in previous studies.

“Internet platforms operating in China are legally required to control content communicated over their platforms or face penalties,” Knockel wrote.

“Vague definitions of prohibited content are often called ‘pocket crimes’ referring to authorities being able to deem any action as an offense. Such crimes are utilized by the Chinese government to restrict political and religious expression over the Internet.”

No Response

The Citizen Lab said it informed the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Game of the MY2022 security issues on Dec. 3, 2021. As of Jan. 18, 2022, the research institute had not received a response. They also noted that the app developers released an update on Jan. 17, 2022, but the vulnerabilities remain unresolved.

The institute added that China has historically undermined encryption technology to “perform political censorship and surveillance” and had been known to exploit “unencrypted network communications to launch man-in-the-middle attacks.”

While this raises questions about whether MY2022’s encryption was “intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence,” the report said the case for deliberate sabotaging of MY2022’s encryption is problematic, as data collected through the app is already being directly submitted to the government.

“While it is possible that weakness in the encryption of health customs information was collateral damage from the intentional weakening of the encryption of other types of data that the Chinese government would have an interest in intercepting, our prior work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem.”

“While some work has ascribed intentionality to poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation such as differing priorities for software developers in China.”