The Beijing Winter Olympics app that all Games attendees must use contains security weaknesses that leave users exposed to data breaches, analysts warn.
The My2022 app will be used by athletes, audience members and media for daily Covid monitoring.
The app will also offer voice chats, file transfers and Olympic news.
But cybersecurity group Citizen Lab says the app fails to provide encryption on many of its files.
The release of its report coincides with a rise in warnings about visitors’ tech security ahead of the Games, which begin on 4 February.
People attending the Beijing Olympics should bring burner phones and create email accounts for their time in China, various experts have advised.
Several countries have also reportedly told athletes to leave their main devices at home before arriving in China.
Censorship concerns
The authors of the Citizen Lab report said they had also found a “censorship keywords” list built into the app, and a reporting feature that can be used to flag other “politically sensitive” expressions.
The analysts noted that these features and security flaws weren’t atypical for apps operating in China, but they posed a risk nonetheless to users.
Analysts said the “illegal words” file appeared currently to be inactive, but it was unclear.
A list of the 2,442 keywords showed them to be mainly politics related, or referenced swear words and illegal goods. Most were in simplified Chinese, but some were also in Tibetan, Uyghur and English.
The list includes the names of Chinese leaders and government agencies, as well as references to the 1989 killing of pro-democracy protesters in Tiananmen Square and the religious group Falun Gong, which is banned in China.
Both the list and the reporting button are features typical of many popular apps used or developed in China, the analysts said. But it could lead to “non-transparent content removal and malicious reporting [of others]”.
All visitors to the Games are required to download the app 14 days prior to their departure for China, and use it to record daily their Covid status.
For foreign visitors they also need to upload sensitive information already submitted to the Chinese government – like passport details and travel and medical histories.
Citizen Lab said transmission weaknesses in the app’s software could lead to easy exploitation of data by a hacker, if targeted.
The analysts noted that the app fails to validate digital security, or SSL, certificates of forwarding sites, and some data was transmitted without any SSL protection or encryption at all.
Analysts warned that exposed weaknesses could trigger China’s own consumer privacy laws, as well as the policies on Google and Apple app stores.
The authors also wrote that while the flaws discovered were concerning, they “are not particularly surprising for apps operating in China”.
“While we found glaring and easily discoverable security issues with the way that My2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese Web browsers,” the authors wrote.