Wow. That looks problematic.
I guess all foreign governments need to issue burner phones to all athletes, coaches, support staff (and do so before 14 days before departure). That is probably a good idea anyway.
I donât think it is a problem for people who just want to go to the Games (spectators) because I donât think foreigners are allowed to do that anyway.
The PRC, Iâm sure, is loving the analog-to-digital evolution of espionage and populace control, as are certain other despotic regimes.
Well, the rest of the world is loving it, too, no doubt!
Yes, the PRC is just further down the slippery slope.
I was of the impression that this app was provided for by the Olympic committee, not the PRC. Just every government agency can make use of it.
Depends what you mean by âthe Olympic committeeâ but at the end of the day I donât know. (Not being an athlete, coach or support staff intending to go to the Games, I donât have a pressing need to investigate more closely.) If itâs a blackbox, how would you even know?
The article says though
an app required by Beijing law
and
Beijing 2022 has developed the âMy 2022â application
So it is suggesting that the (host city) organising committee developed the app and it has the legislative support of some level of government in the PRC to enforce that attendees must run the app.
In my opinion, any mandatory app is fail, no matter who developed it, who supplied it, who mandated it.
Even a mandatory app that is open source is fail if all the open source allows me to do is verify that the app is compromising my device. (The assumption here is that the platform itself prevents me from taking the open source of the app, removing the offensive parts, compiling the result, and running the safe version of the app instead of the real version - or otherwise that enforcement by government prevents me from doing that.)
Is the app open source?
The presence of a potentially unused list of censorship (illegal) words raises the disconcerting possibility that the app has been developed by cut-and-paste from some other PRC government app. Hence it might contain a large amount of latent and dangerous functionality.
Some of the highlighted implementation errors suggest that that cut-and-paste job might have been a hasty one.
Overall, not ideal software development process considering that they have had almost 7 years to develop the app.
This app (MY2022) is commissioned by the IOC. Translated from Dutch main news:
âThe IOC [after the conclusion of Citizens lab] commented that this app is extensively tested and that no serious vulnerabilities are found. Also checks by app stores did not reveal any problem.â
For whats it worth.
OK, regardless of who commissioned it, I would want to know what the app does.
Is it open source? If itâs closed source then no amount of testing can really assure that it is not malicious. I would imagine that the examination so far is largely limited to seeing what APIs it uses.
A vulnerability may not be considered a vulnerability if the app is intentionally designed to compromise your privacy or security.
What permissions does the app require in order to run?
If the app isnât doing anything malicious i.e. doesnât have anything to hide then thereâs no reason for it to be closed source. Right?
On top of that, a mandatory app implies a mandatory mobile phone, and a mobile phone implies tracking device. So even an app that basically does nothing becomes dubious if it is mandatory.
Iâm wondering what will happen if a country turns up in Beijing and they just didnât bring any phones.
Does the IOC have an explanation for why the app includes a list of âillegal wordsâ?
Got some new info from IOC (https://soyacincau.com/2022/01/19/ioc-defends-the-mandatory-chinese-olympics-app-after-it-was-slammed-for-security-concerns/)
"IOC also mentioned that it is ânot compulsoryâ to install the app on cell phones specifically. Users can instead âlog on to the health monitoring system on the web page insteadâ.
Yeah, Iâm gonna have to side with Citizen Lab on this one. I imagine they have more expertise in this area than the IOC.
âThe IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOCâs comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks,â said Ron Deibert, director of Citizen Lab.
Hereâs there original report:
ââŚthe app is owned by a state-owned company called Beijing Financial Holdings Group.â
Itâs interesting that this app didnât raise any security/privacy red flags with Google and Apple. 
So either itâs innocuous, or the supposedly most secure app stores (as they like to say) donât do a great job at security.
Iâm sure the IOC has a vested interest in not rocking the boat right now, too.
Rightly or wrongly, the IOC tries to steer clear of politics.
Still, at the end of the day, what does the app do?
Perhaps you can find some documentation regarding what checks Google/Apple do for an app submitted to the app store. I assume that they donât demand that all app developers submit the source code of the app (even though there would be some merit in that idea). So, if G/A donât have access to the source, what do they use for âred flagsâ? (no pun intended)
I would guess that they would check
- what the required permissions are
- what APIs are used
but in that case that isnât more than Citizen Lab would have done anyway.
Fairly obviously any app that is permitted to access the internet and that references the API to do that has the potential for tracking and/or data exfiltration.
Theyâve bowed down to China before, I wouldnât be at all surprised if they did again.
And any app that can receive an update to its code.
So why not just bring two phones to the Olympics with you? Go out and buy a $40 phone and load only the required apps to it, and donât use your normal Google account on it. This phone would be kept clear of all personal information except what is required to attend. If youâre traveling with friends, have them do the same and let them share your hoax-google account with you so that as you and they turn the phones on and off, the tracking of you and them bounces all over the map as an undefined person that is just sharing some ambiguous account. And keep it turned off in all except for the required times. Then bring your real personal phone with all of your normal apps and logins on it also. If the Chinese government spies on your phone then and your Google profile, they only get what you intend them to get, which includes a lot of mis-direction and no additional personal data. Everyone in your group could also friend the false person on Facebook and then share the false personâs posts with everyone in the group. That would allow everyone to stay in-touch and to communicate anonymously with everyone in the group, using either their personal/private phones or their $40 phone.
Use encryption and VPN services on your real personal phone and no security what-so-ever on the $40 phone. They might even think they have everything on you while they only have what you chose to let them have.
Bruce talks about it below. It looks like it collects a fair bit of data and is vulnerable.
https://www.schneier.com/blog/archives/2022/01/chinas-olympics-app-is-
Any half-decent environment would not permit an app to receive an update to its code that has not gone through the same process as the original code went through i.e. the process as far as submission to the store and the checks that G/A make. Otherwise this would be a loophole big enough to drive a bus through.
Also, an app probably doesnât control its own updating i.e. updating is centralised through the store. There is user convenience in that, as well as developer convenience.
Bring no phones. Any phone that is handed over to the authorities as you enter the country is potentially compromised. If you have to bring a phone (e.g. for compliance) then bring one burner phone.
I wouldnât recommend playing games with the Chinese government.
- they donât have a sense of humour
- they are better resourced than you
- they are probably smarter than you
This may have been a thought experiment but no foreign spectators are allowed. Noone is travelling to the Beijing Winter Olympics with friends.
Sometimes that will work, sometimes it wonât. Believe it or not, the Chinese government knows about these. Many VPN services will simply be blocked. Any traffic that looks like VPN will likely be detected and then potentially blocked. But, OK, if you run your own VPN server, solely for your use, and it is set up carefully, you may get away with it.