Olympics-China Games application has security flaws, researchers tell Reuters

(Reuters) – A Chinese-built phone app to monitor China’s health at Beijing Winter Olympics next month has security flaws that make it vulnerable to privacy breaches and hacking, according to a https: // report released by Canadian investigators on Tuesday. .

The MY2022 app was built by the Beijing Organizing Committee primarily to track and share medical information related to COVID-19 among athletes during the Games.

Researchers at the Citizen Lab project in Toronto said that MY2022 did not properly encrypt the transfer of personal data, leaving it vulnerable to hackers. They also found that MY2022’s privacy policy does not specify which organization would share user information with.

The International Olympic Committee (IOC) said it had conducted independent evaluations of the application and found no “critical vulnerabilities”.

“It is not mandatory to install‘ My 2022 ’on mobile phones,” the IOC said in a statement.

Yu Hong, the commission’s chief technology officer, said Wednesday that the main function of the app is to monitor people’s health and that the country complies with strict data protection rules.

All aspects of the MY2022 app have been validated by major app stores, the head of Beijing 2022 said at a conference hosted by the Chinese embassy in the United States. He was talking on video from Beijing.

Yu also said that the weaknesses in technology were natural in the development of this type of application, that his department was constantly updating it to eliminate these problems.

Researchers at Citizen Lab said they found bugs in the iOS version of the app after creating an account there. They were unable to set up an account on the Android version, but said security flaws were present in both versions of MY2022.

The report said that MY2022 was unable to validate the SSL certificates required to authenticate a website’s identity and enable encrypted connection. This can be exploited by hackers to transmit data to malicious sites.

The encrypted data is sent to “tmail.beijing2022.cn” for MY2022.

“Any passive listener can read this data, such as someone in the area of ​​a secure WiFi hotspot, someone operating a WiFi hotspot, or an Internet service provider or other telecommunications company,” the report says.

Citizen Lab said it had reported security concerns to the Beijing Winter Olympics Organizing Committee on Dec. 3, but had received no response.

The Winter Olympics begin on February 4th. Several countries, including the United States, Britain, Japan and Australia, have announced a diplomatic boycott of China over human rights concerns.