Flaw?

The People’s Republic of China government requires everyone attending the Beijing Olympics next month to load a tracking app on their cell phones:

Those who attend the Olympics, including athletes and journalists, are required to download the app and upload their health and vaccination information to track potential outbreaks of COVID-19.

The Citizen Lab, based in the University of Toronto’s Munk School of Global Affairs & Public Policy, has identified what it terms a security flaw.

It turns out that the app, MY2022, fails to validate some SSL certificates. That means it’s a trivial matter for…others…to bypass any security measures, including encryption, that the phone’s owner might have implemented. Those others then can easily intercept and otherwise gain access to the cell phone owner’s sensitive information: all the medical information the PRC government requires to be loaded into the app, ostensibly for Wuhan Virus tracking, along with wholly unrelated information like all traffic in which the phone might be or have been engaged, all passport information, all medical information whether or not related to the Virus, and all other information stored on the cell phone—images and videos, contact lists, other emails, Web sites and bookmarks, and on and on.

The Lab’s key findings are

  • MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
  • MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
  • MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
  • While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.

It’s doubtful, at least to me, that China’s own laws and national standards pertaining to privacy protection are being violated, though, given the PRC government’s already widespread surveillance of all of its citizens. The PRC’s 2017 national intelligence law, too, requires all entities to cooperate with the government’s intelligence community and provide whatever information that community requires, which means that the app’s spying is no violation of the PRC’s own laws.

And there’s this:

[The] Citizen Lab said it had notified the Chinese organizing committee for the Games in December about the potential issues but had never received a response.

The Beijing Organizing Committee’s refusal to respond is itself instructive.

No, this is no flaw; neither PRC government programmers nor Beijing Organizing Committee programmers, who are the ones who officially built the app, are that amateurish. It’s deliberate, and it’s one more reason to not only skip the Beijing Olympics (including not watching them on NBC), but to skip doing any sort of business with any sort of PRC company.

The Lab’s report can be read here.