Use of the Chinese Olympics app, MY2022, is mandatory for everyone attending this year’s Olympic Games in Beijing, whether as an athlete or simply watching from the stadium.

The app collects sensitive personal data – like passport details, medical data, and travel history – and analysis by security researchers reveals that the code has two security holes that could expose this information …

Citizen Lab, which has also played a key role in identifying phones compromised by Pegasus spyware, carried out the analysis.

Although the app uses SSL, it doesn’t validate certificates.

Due to the COVID-19 pandemic, China has decided to implement a “closed-loop” management system and daily testing. Additionally, all international and domestic attendees of the Games are mandated to download MY2022 14 days prior to their departure for China and to start monitoring and submitting their health status to the app on a daily basis […]

[We found] two security vulnerabilities in MY2022 related to the security of the transmission of user data. First, we describe a vulnerability in which MY2022 fails to validate SSL certificates, thus failing to validate to whom it is sending sensitive, encrypted data. Second, we describe data transmissions that MY2022 fails to protect with any encryption.

Worse, some data is not encrypted at all – including details of who is communicating with whom.

Our analysis found that MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers. This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted and allowing the app to display spoofed content that appears to originate from trusted servers.

Additionally, the Android version contains a list of banned words – though this is not yet being actively used.

We also found that some sensitive data is transmitted without any SSL encryption or any security at all. We found that MY2022 transmits non-encrypted data to “tmail.beijing2022.cn” on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers.

Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company.

Bundled with the Android version of MY2022, we discovered a file named “illegalwords.txt” which contains a list of 2,442 keywords generally considered politically sensitive in China. However, despite its inclusion in the app, we were unable to find any functionality where these keywords were used to perform censorship. It is unclear whether this keyword list is entirely inactive, and, if so, whether the list is inactive intentionally. However, the app contains code functions designed to apply this list toward censorship, although at present these functions do not appear to be called.