The mandatory smartphone app that athletes will use to report health and travel data when they are in China for the Olympics next month has serious encryption flaws, according to a new report, raising security questions about the systems that Beijing plans to use to track Covid-19 outbreaks.
Portions of the app that will transmit coronavirus test results, travel information and other personal data failed to verify the signature used in encrypted transfers, or didn’t encrypt the data at all, according to the report by Citizen Lab, a University of Toronto cybersecurity watchdog. The group also found that the app includes a series of political terms marked for censorship in its code, though it does not appear to actively use the list to filter communications.
China has entered the final planning stages for a Winter Olympics that will seek to control the spread of Covid-19 by keeping athletes and other participants separate from the greater Chinese population. The app, called MY2022, was designed to bolster those precautions, enabling electronic links between the government and participants to contact trace in the event of any outbreaks. It resembles a broader system of app-based health codes used to control population movements in the event of outbreaks.
The new concerns about the app underscore broader worries about censorship and surveillance during the Games in China, which has one of the world’s most sophisticated surveillance and censorship systems. Officials have already said athletes will be given cellular services that will allow them to circumvent widespread blocks on sites like Facebook, Google and Twitter.
In its report, Citizen Lab said it disclosed the security flaws to the Beijing Organizing Committee on Dec. 3 but had not received any response. A January update to the software did not fix the issues, which most likely put the app in violation of China’s newly enacted personal data protection laws, as well as the privacy policies required to list an app on Google’s and Apple’s stores.
Apple and Google did not immediately respond to requests for comment.
Issues such as incomplete or nonexistent encryption have long plagued China’s tech industry, which is tasked with the challenging double duty of protecting consumer data while also sharing it with government censors and surveillance.
From the early days of the Covid-19 pandemic, China’s government has relied on app-based tracking to control outbreaks and monitor people locked down in cities where cases appear. At times, such systems have been less than secure or transparent. In 2020, Alibaba-based tracking software immediately disclosed personal data to the local police without warning users.
Apps that track coronavirus exposures have been rife with security flaws. Many countries rushed out these apps in an effort to keep pace with the spread of the coronavirus, but then scrambled to address poor security practices. Human rights groups have warned that flaws in the design of these apps put people at risk for scams, identity theft or extensive government tracking, and could undermine the public’s trust in health initiatives.
In April 2020, Norway introduced a smartphone app called Smittestopp, or “stop infection,” which warned users if they came in contact with other users who had contracted the coronavirus. But by that June, data protection regulators had raised concerns that the risks of intensified surveillance outweighed the app’s unproven public health benefits. The next month, the country’s data watchdog imposed an interim ban on the app.
In preparation for the 2021 Tokyo Olympics, Japan worked to develop a contact tracing app that would track foreign visitors, but concerns quickly mounted over bugs in the software and whether all visitors would own smartphones on which to install the app.
The Citizen Lab report said MY2022 failed to confirm a unique encryption signature with the server where it was transferring data. In effect, that meant hackers could intercept the data without Chinese officials necessarily knowing. Other parts of the app, like its built-in messaging service, failed to encrypt metadata, making it easy for owners of wireless networks or telecoms to detect which phone was messaging another and at what time.
“All the information you are transmitting can be intercepted, particularly if you are on an untrusted network like a coffee shop or hotel Wi-Fi service,” said Jeffrey Knockel, a research associate with Citizen Lab and one of the authors of the report. Sensitive information lifted in this way could be used for identity theft, Dr. Knockel added.
It’s not clear whether the security flaws were intentional or not, but the report speculated that proper encryption might interfere with some of China’s ubiquitous online surveillance tools, especially systems that allow local authorities to snoop on phones using public wireless networks or internet cafes. Still, the researchers added that the flaws were probably intentional, because the government will already be receiving data from the app, so there wouldn’t be a need to intercept the data as it was being transferred.
“In using the app, you are already sending data directly to the Chinese government,” Dr. Knockel said.
The app also included a list of 2,422 political keywords, described within the code as “illegalwords.txt,” that worked as a keyword censorship list, according to Citizen Lab. The researchers said the list appeared to be a latent function that the app’s chat and file transfer function was not actively using.
Lists of censored words are common in Chinese social media apps, and work as a first line of defense in a multitiered censorship system designed to prevent the spread of unwelcome political topics.
Citizen Lab said the word list mostly included Chinese terms referring to the Tiananmen Square massacre, common criticisms of the Chinese Communist Party and the name of China’s president, Xi Jinping. Controls are particularly tight around Mr. Xi’s name. The lists also included a few words in other languages, notably references to the Dalai Lama in Tibetan and references to the Quran in Uyghur.
“They could turn on censorship with the flip of a switch,” Dr. Knockel said.
Kate Conger contributed reporting.
