Caravanserai
Science & Technology

Mandatory Chinese Olympics app has 'devastating' encryption flaw

By Caravanserai and AFP

A man uses his mobile phone at the spectator area of an Olympic venue in Beijing on December 15. [Noel Celis/AFP]

A man uses his mobile phone at the spectator area of an Olympic venue in Beijing on December 15. [Noel Celis/AFP]

An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog warned.

The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor COVID-19 and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab, on Tuesday (January 18).

The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organisations "confirmed that there are no critical vulnerabilities".

"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones is not required "as accredited personnel can log on to the health monitoring system on the web page instead".

The committee said it had asked Citizen Lab for its report "to understand their concerns better".

Citizen Lab said it notified the Chinese organising committee of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.

A history of censorship, surveillance

"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.

"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic".

The flaws affect SSL certificates, which allow online entities to communicate securely.

MY2022 does not authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.

While the app is transparent about the medical information it collects as part of China's efforts to screen COVID-19 cases, he said "it is unclear with whom or which organisation(s) it shares this information".

MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.

These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.

Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress", he wrote.

In solidarity with China's oppressed Uighur Muslim population, the Global Imams Council has called on Muslims around the world to refrain from participating in or attending the 2022 Winter Olympics in Beijing.

Beijing has been committing a litany of violations in the northwestern region of Xinjiang, where more than a million people, most of them Uighurs, have been arbitrarily detained in "political re-education" camps.

Independent investigations and interviews with former camp inmates have brought to light physical and mental torture, brainwashing, systematic rape and sexual abuse inside the camps, which effectively serve as prisons.

Security risks in Chinese phones

Chinese phones have been coming under greater scrutiny around the world as studies continue to tie the devices to national security risks, censorship, privacy issues and data leaks.

Lithuania's Defence Ministry said in September that public institutions and consumers should be wary of using Chinese phones, warning about possible security flaws and data leaks.

The country's National Cyber Security Centre reported that it had found "cyber security risks" in two popular Chinese-made phones sold in Europe -- the Xiaomi Mi 10T 5G and the Huawei P40 5G.

In the Xiaomi -- the most popular smartphone in Europe -- it reported finding a built-in censorship tool that can block certain search terms in Chinese and also Latin script.

The censored terms appear to be ever-evolving, with 449 words or phrases on the blacklist in April 2021 and 1,376 by September. They include words in Chinese and also Latin script.

The blocked terms include "Free Tibet", "Long live Taiwan independence", "democracy movement", "student movement", "dictatorship", and the names of some Western companies and news outlets.

"We clearly saw that all of those key words are politically motivated," Lithuanian Vice Defence Minister Margiris Abukevicius told Voice of America (VOA).

"It is very, very worrying that there is a built-in censorship tool and of keywords, which filters or could filter your search on the web," he said.

The Huawei phone posed a threat because it automatically re-directed users to third-party app stores that could host virus-infected apps, said the report.

Do you like this article?

0 Comment(s)

Comment Policy * Denotes Required Field 1500 / 1500