In a report released by Citizen Lab today, researchers analyzed the ‘My 2022’ Beijing Winter Olympics app and discovered the app is insecure when it comes to protecting the sensitive data of its users. The app’s encryption system carries a significant flaw that enables middle-men to access documents, audio and files in clear text form. Researchers found that the ‘My 2022’ app, which is required for all athletes, members of the press and the audience to have installed, is subject to censorship based on keywords and has an unclear privacy policy that doesn’t determine who receives and processes sensitive data, thus violating Google and Apple’s App Store guidelines.
<p><span lang=\"EN-US\">For those travelling to the Olympics, seriously consider whether your corporate devices will be required for the trip. If not needed, do not bring – think about using a burner device instead. Further, only use Bluetooth when absolutely needed and VPN should be mandatory regardless of whether on Wi-Fi or cell signal. Consider logging out of corporate applications on your phone. Inquire about your identity profile and consider a “least privilege” approach to application entitlements while away at the games.</span></p>
<p>The My 2022 app poses a serious privacy and security threat to Olympics athletes, staff and audience. On top of collecting detailed personal information, the app uses insecure SSL connections that can be intercepted by middlemen. The fact that this app was allowed to be published in both major app stores is concerning, showing how Google and Apple might be too lenient toward state-sponsored apps.</p>
<p>While the Citizen Lab report claims the app is required for participants, the International Olympic Committee says installation of the app is not compulsory and that the user is in control over what the app can access on their device. </p>
<p>However, in either case, users should share as little information as possible with the app, and are also advised to make sure their login and password information is different from that used on other apps, websites, and other users. Users should also delete the app from their devices as soon as possible. At the very least, uninstall it after clearing Chinese airspace, in order to protect against any possible hacking attempts in the future.</p>
<p>Poor app security is a leading cause of the rise in cyberattacks on mobile devices. While the security issues found in \’My 2022\’ are concerning, unfortunately they are not as unique as they appear. Not all mobile apps are susceptible to man-in-the-middle attacks, but most of them do contain undisclosed third parties who can access the same user data as the developer. Mobile users frequently assume that they are safe either because of app store policies, or because they have consented to terms of service – but third parties are not carefully checked by app reviewers, and they are rarely monitored for safety. They can be hijacked to execute phishing attacks, share sensitive data with fourth or fifth parties, suffer a data breach caused by lax security practices, or worse.</p>