Skip to main content
banner image
venafi logo

China Olympics MY2022 App has Encryption Flaws – Posing a Serious Trust Problem

China Olympics MY2022 App has Encryption Flaws – Posing a Serious Trust Problem

china-olympics-my2022-app-has-encryption-flaws
January 28, 2022 | Brooke Crothers

A mandatory smartphone app used by China Olympics athletes has a “devastating” encryption flaw, according to a new report from The Citizen Lab at University of Toronto.

This kind of high-profile encryption flaw sows distrust, especially when the potential exists for a government to reap the dubious benefits of collecting a variety of personal data.

The “simple but devastating flaw” affects encryption for users’ voice audio and file transfers as well as health customs forms – the latter can involve passport details, demographic information, and medical and travel history. Separately, server responses can also be spoofed.

While the MY2022 seems to state clearly what kind of data it’s collecting, it is not clear with whom the data is shared – potentially problematic because MY2022 also includes features that allow users to report “politically sensitive” content and a censorship keyword list, which covers domestic political topics.

Here’s how Citizen Lab describes the data collection:

“For domestic users, MY2022 collects personal information including name, national identification number, phone number, email address, profile picture, and employment information and shares it with the Beijing Organizing Committee for the 2022 Olympics…For international users, the app collects a different set of personal identifiable information including users’ demographic information and passport information (i.e., issue and expiration dates) as well as the organization to which they belong.”

--The Citizen Lab: “Cross-Country Exposure, Analysis of the MY2022 Olympics App”

The report goes on to say that the app’s security flaws may violate Google’s Unwanted Software Policy and Apple’s App Store guidelines as well as also China’s own laws and national standards pertaining to privacy protection, which would provide “potential avenues for future redress,” the report said.

Citizen Lab also noted that the MY2022 app was built by the Beijing Organizing Committee and is maintained by a state-owned company called Beijing Financial Holdings Group. The report also noted that Internet platforms operating in China are legally required to control content communicated over their platforms or face penalties.

Encryption failure

With lax or non-existent encryption, the gates are open for privacy violations.

Citizen Lab discovered two security vulnerabilities in MY2022. The first fails to validate SSL/TLS certificates and the second fails to encrypt with SSL/TLS protocols. Both vulnerabilities “appear” to exist in both the iOS and Android versions of the app, the report said.

The “Failure to validate SSL certificates” and “Failure to encrypt sensitive data” is described as follows by Citizen Lab respectively:

“Our analysis found that MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers.”

We also found that some sensitive data is transmitted without any SSL encryption or any security at all. We found that MY2022 transmits non-encrypted data to ‘tmail.beijing2022.cn’ on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers. Such data can be read by any passive eavesdropper, such as someone in range of an unsecured wifi access point, someone operating a wifi hotspot, or an Internet Service Provider or other telecommunications company.

Why Encryption matters

When encryption is implemented poorly, apps may appear to users to be more trustworthy than warranted. And can expose app users to man-in-the-middle attacks, where cybercriminals intercept private communications. Moreover, it can open the door to malicious actors to use encryption backdoors to gain unauthorized access.

Ultimately, this type of vulnerability is unacceptable. As apps continue to rely on sensitive data and share increasing amounts of communication, we need to be assured of the privacy of the data that apps have access to. Without that trust, the system will simply collapse. Venafi VP of security strategy and threat intelligence, Kevin Bocek warns why this type of vulnerability can’t persist: “Every machine, cloud, and app relies on digital certificates to know what is trusted or not. The global economy can’t be safe if we fail to protect digital certificates.”

“Encryption plays a fundamental role in data privacy, whether it’s protecting data from hackers or governments,” Bocek advises. “The challenges organizations already face in managing and securing encryption keys, combined with concerns about the integrity and strength of encryption implementations, can undermine confidence in the privacy and security of data.”

Related Posts

Like this blog? We think you will love this.
image representing big data
Featured Blog

Le chiffrement homomorphe : Définition et utilisation

Qu'est-ce que le chiffrement homomorphe ? Le

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more