Mandatory My 2022 App Endangers Beijing Olympics Competitors

The mandatory application for the Beijing Winter Olympics, My 2022, has a number of security issues, making it vulnerable to hacking attacks, data leaks and surveillance.

Everyone who intends to attend the Olympics next month (including athletes, sports writers, sports management, etc.) is required to provide their health information to the Chinese authorities through the My 2022 mobile application.

However, according to a report from Citizen Lab, the app has a number of security issues that make it vulnerable to hacking, data breaches and snooping. In addition to encryption issues, My 2022 contains a list of keywords to be censored.

Shortly before the publication of the Citizen Lab report, the UK, Germany, Australia and the US urged their athletes not to take personal mobile devices to the Olympics and are ready to give them disposable phones. The Dutch Olympic Committee went even further and strictly prohibited its athletes from taking personal equipment to Beijing due to possible espionage by the Chinese authorities.

According to International Olympic Committee guidelines, athletes, coaches, journalists, management and all staff numbering in the thousands are required to provide health data through the My 2022 mobile application or website. The application, developed in China, is designed to monitor the health of participants and staff monitoring for possible COVID-19 infections.

Users also need to enter passport data, arrival / departure information, information about possible symptoms of coronavirus (high temperature, fatigue, headache, cough, sore throat and diarrhoea) in the application.

There are applications for tracking the COVID-19 infection chain in many countries, but My 2022 combines this functionality with other services: manages access to events, acts as a guide and provides information about sports facilities and tourism services, acts as a messenger (text and audio), provides a news feed and allows sharing files.

According to a report from Citizen Lab, the application’s SSL certificates, which indicate that data is transferred exclusively between a trusted device and a server, have not been authenticated. In other words, My 2022 has serious encryption issues. Attackers can force an application to connect to a malicious host, allowing it to intercept communications or send malicious data in response.

Worse still, for some services in the application, the traffic is not encrypted at all. That is, outsiders can easily read the chat metadata.

The researchers also found a text file illegalwords.txt in the application containing 2,442 keywords and phrases, mostly written in Simplified Chinese (the main language used in the PRC). True, a small part of the words are written in Uighur, Tibetan, traditional Chinese (used in Hong Kong and Taiwan) and English.

Many keywords include profanity as well as expressions related to politically taboo topics in communist China that are censored by the state, including criticism of the Chinese Communist Party and its leaders. One example on the list reviewed by Citizen Lab is the term “Holy Quran” in Uighur.

There is no evidence in the current version of the app that this one is being actively used for censorship. Why it is present at all in the application is not yet clear.

Let me remind you that we talked about the fact that the Chinese bank forced western companies to install tax software with backdoor, and also that the Chinese authorities use AI to analyse the emotions of Uyghur prisoners.