A mandatory smartphone app used by China Olympics athletes has a “devastating” encryption flaw, according to a new report from The Citizen Lab at University of Toronto.
This kind of high-profile encryption flaw sows distrust, especially when the potential exists for a government to reap the dubious benefits of collecting a variety of personal data.
The “simple but devastating flaw” affects encryption for users’ voice audio and file transfers as well as health customs forms – the latter can involve passport details, demographic information, and medical and travel history. Separately, server responses can also be spoofed.
While the MY2022 seems to state clearly what kind of data it’s collecting, it is not clear with whom the data is shared – potentially problematic because MY2022 also includes features that allow users to report “politically sensitive” content and a censorship keyword list, which covers domestic political topics.
Here’s how Citizen Lab describes the data collection:
“For domestic users, MY2022 collects personal information including name, national identification number, phone number, email address, profile picture, and employment information and shares it with the Beijing Organizing Committee for the 2022 Olympics…For international users, the app collects a different set of personal identifiable information including users’ demographic information and passport information (i.e., issue and expiration dates) as well as the organization to which they belong.”
--The Citizen Lab: “Cross-Country Exposure, Analysis of the MY2022 Olympics App”
The report goes on to say that the app’s security flaws may violate Google’s Unwanted Software Policy and Apple’s App Store guidelines as well as also China’s own laws and national standards pertaining to privacy protection, which would provide “potential avenues for future redress,” the report said.
Citizen Lab also noted that the MY2022 app was built by the Beijing Organizing Committee and is maintained by a state-owned company called Beijing Financial Holdings Group. The report also noted that Internet platforms operating in China are legally required to control content communicated over their platforms or face penalties.
With lax or non-existent encryption, the gates are open for privacy violations.
Citizen Lab discovered two security vulnerabilities in MY2022. The first fails to validate SSL/TLS certificates and the second fails to encrypt with SSL/TLS protocols. Both vulnerabilities “appear” to exist in both the iOS and Android versions of the app, the report said.
The “Failure to validate SSL certificates” and “Failure to encrypt sensitive data” is described as follows by Citizen Lab respectively:
“Our analysis found that MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers.”
“We also found that some sensitive data is transmitted without any SSL encryption or any security at all. We found that MY2022 transmits non-encrypted data to ‘tmail.beijing2022.cn’ on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers. Such data can be read by any passive eavesdropper, such as someone in range of an unsecured wifi access point, someone operating a wifi hotspot, or an Internet Service Provider or other telecommunications company.”
Why encryption matters
When encryption is implemented poorly, apps may appear to users to be more trustworthy than warranted. And can expose app users to man-in-the-middle attacks, where cybercriminals intercept private communications. Moreover, it can open the door to malicious actors to use encryption backdoors to gain unauthorized access.
Ultimately, this type of vulnerability is unacceptable. As apps continue to rely on sensitive data and share increasing amounts of communication, we need to be assured of the privacy of the data that apps have access to. Without that trust, the system will simply collapse. Venafi VP of security strategy and threat intelligence, Kevin Bocek warns why this type of vulnerability can’t persist: “Every machine, cloud, and app relies on digital certificates to know what is trusted or not. The global economy can’t be safe if we fail to protect digital certificates.”
“Encryption plays a fundamental role in data privacy, whether it’s protecting data from hackers or governments,” Bocek advises. “The challenges organizations already face in managing and securing encryption keys, combined with concerns about the integrity and strength of encryption implementations, can undermine confidence in the privacy and security of data.”