Report, Marketing & Advertising News, ET BrandEquity

An app that all participants in the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to be leaked, a cybersecurity watchdog said on Tuesday.

The “simple but devastating flaw” in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other participants in the games in the Chinese capital, could allow information to be leaked on health, voice messages and other data, warned Jeffrey Knockel, author of the report for Citizen Lab.

The International Olympic Committee responded to the report by saying that users can disable the app’s access to certain parts of their phones and that assessments from two unnamed cybersecurity organizations “confirmed that there is no critical vulnerabilities”.

“The user controls what the application can access on their device,” the committee told AFP, adding that installation on mobile phones is not necessary “because accredited personnel can log into the health monitoring system on the web page instead.”

The committee said it asked Citizen Lab for its report “to better understand their concerns.”

Citizen Lab said it informed the Chinese Games organizing committee of the issues in early December and gave it 15 days to respond and 45 days to fix the issue, but received no response.

“China has a history of undermining encryption technology to perform political censorship and surveillance,” Knockel wrote.

“As such, it is reasonable to question whether this app’s encryption was intentionally sabotaged for surveillance purposes or whether the flaw arose from developer negligence,” it continued, adding that ” the case of the Chinese government sabotaging the encryption of MY2022 is problematic. “

The flaws affect SSL certificates, which allow online entities to communicate securely.

MY2022 does not authenticate SSL certificates, which means other parties could access app data, while the data is transmitted without the usual SSL certificate encryption, Knockel wrote.

While the app is transparent about the medical information it collects as part of China’s efforts to screen for Covid-19 cases, he said “it’s not clear with whom or with whom( s) organization(s) it shares this information”.

MY2022 also contains a list called “illegalwords.txt” of “politically sensitive” phrases in China, many of which relate to China’s political situation or its Tibetan and Uyghur Muslim minorities.

These include keywords like “CCP evil” and Xi Jinping, China’s president, although Knockel said it was unclear whether the list was being actively used for censorship purposes.

Due to these features, the app may violate both Google’s and Apple’s smartphone software policies, as well as “China’s own national privacy laws and standards, offering potential avenues for future redress,” he wrote.

Source link


About Author

Comments are closed.