There are privacy concerns for the thousands of foreigners in Beijing for the 2022 Winter Olympics after Canadian research group Citizen Lab revealed vulnerabilities in an app that handles sensitive health information and is required by the Chinese government for anyone involved with the games.
The My 2022 app was designed by Beijing's organizing committee as an all-in-one experiential guide for local Olympics staff, global athletes, their entourages, the press, and administrators. Those traveling into the "closed loop" of venues were required to download the app 14 days ahead of arrival and submit personally-identifying information along with any COVID-19 tests they've done, vaccination status, and self-evaluations of their health.
Citizen Lab found that the app fails to validate the SSL encryption certificates it receives from some of its hosts, allowing malicious actors to potentially spoof host names and redirect sensitive away from the legitimate servers and into their hands. In an example given of "health.customsapp.com," a client might feed their passport and health data to the server. Furthermore, some connections don't even have encryption under SSL or any other standard. One of those pathways is to "tmail.beijing2022.cn," which presumably deals with communications, participant identities, and file attachments. Middle-man data siphoning may occur on unsecured networks or private ones with unscrupulous operators.
These findings were checked with versions 2.0.0 and 2.0.5 of the My 2022 iOS app through mid-January and are understood to be applicable to the Android side as well. The reported failings would not only put My 2022 and Beijing in against privacy terms from Apple and Google, but with a number of standards and rules in China's own Cybersecurity Law from 2016.
Another common concern known in the country? Censorship. The app features a text document with more than 2,400 words and phrases in simplified and traditional Chinese, English, Tibetan, and Uyghur that cover obscene insults to prohibited religions and political matters such as Islam, the Dalai Lama, and the ongoing ethnic crackdown in Xinjiang. However, the list does not appear to be used as part of any censoring scripts at the moment. There is, though, a reporting feature that lets users reporting others for political speech. Citizen Lab says that it's a common feature for apps in China, but could open up the potential for censorship abuse in a global context.
While there's always the possibility that these lapses were intentionally made, the research group does support the hypothesis that China's censorship policy has led to differing levels of SSL implementation across different access points such as at the ISP or at a cafe and that the app's exclusion of SSL for reaching certain hosts may ensure that those connections are made.
You're probably not going to see this year's games in person, so you'd have no reason to download My 2022. But in case you need help resisting the temptation: just don't do it.