Wow. That looks problematic.
I guess all foreign governments need to issue burner phones to all athletes, coaches, support staff (and do so before 14 days before departure). That is probably a good idea anyway.
I don’t think it is a problem for people who just want to go to the Games (spectators) because I don’t think foreigners are allowed to do that anyway.
The PRC, I’m sure, is loving the analog-to-digital evolution of espionage and populace control, as are certain other despotic regimes.
Well, the rest of the world is loving it, too, no doubt!
Yes, the PRC is just further down the slippery slope.
I was of the impression that this app was provided for by the Olympic committee, not the PRC. Just every government agency can make use of it.
Depends what you mean by “the Olympic committee” but at the end of the day I don’t know. (Not being an athlete, coach or support staff intending to go to the Games, I don’t have a pressing need to investigate more closely.) If it’s a blackbox, how would you even know?
The article says though
an app required by Beijing law
Beijing 2022 has developed the ‘My 2022’ application
So it is suggesting that the (host city) organising committee developed the app and it has the legislative support of some level of government in the PRC to enforce that attendees must run the app.
In my opinion, any mandatory app is fail, no matter who developed it, who supplied it, who mandated it.
Even a mandatory app that is open source is fail if all the open source allows me to do is verify that the app is compromising my device. (The assumption here is that the platform itself prevents me from taking the open source of the app, removing the offensive parts, compiling the result, and running the safe version of the app instead of the real version - or otherwise that enforcement by government prevents me from doing that.)
Is the app open source?
The presence of a potentially unused list of censorship (illegal) words raises the disconcerting possibility that the app has been developed by cut-and-paste from some other PRC government app. Hence it might contain a large amount of latent and dangerous functionality.
Some of the highlighted implementation errors suggest that that cut-and-paste job might have been a hasty one.
Overall, not ideal software development process considering that they have had almost 7 years to develop the app.
This app (MY2022) is commissioned by the IOC. Translated from Dutch main news:
“The IOC [after the conclusion of Citizens lab] commented that this app is extensively tested and that no serious vulnerabilities are found. Also checks by app stores did not reveal any problem.”
For whats it worth.
OK, regardless of who commissioned it, I would want to know what the app does.
Is it open source? If it’s closed source then no amount of testing can really assure that it is not malicious. I would imagine that the examination so far is largely limited to seeing what APIs it uses.
A vulnerability may not be considered a vulnerability if the app is intentionally designed to compromise your privacy or security.
What permissions does the app require in order to run?
If the app isn’t doing anything malicious i.e. doesn’t have anything to hide then there’s no reason for it to be closed source. Right?
On top of that, a mandatory app implies a mandatory mobile phone, and a mobile phone implies tracking device. So even an app that basically does nothing becomes dubious if it is mandatory.
I’m wondering what will happen if a country turns up in Beijing and they just didn’t bring any phones.
Does the IOC have an explanation for why the app includes a list of “illegal words”?
"IOC also mentioned that it is “not compulsory” to install the app on cell phones specifically. Users can instead “log on to the health monitoring system on the web page instead”.
Yeah, I’m gonna have to side with Citizen Lab on this one. I imagine they have more expertise in this area than the IOC.
“The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks,” said Ron Deibert, director of Citizen Lab.
Here’s there original report:
“…the app is owned by a state-owned company called Beijing Financial Holdings Group.”
It’s interesting that this app didn’t raise any security/privacy red flags with Google and Apple. So either it’s innocuous, or the supposedly most secure app stores (as they like to say) don’t do a great job at security.
I’m sure the IOC has a vested interest in not rocking the boat right now, too.
Rightly or wrongly, the IOC tries to steer clear of politics.
Still, at the end of the day, what does the app do?
Perhaps you can find some documentation regarding what checks Google/Apple do for an app submitted to the app store. I assume that they don’t demand that all app developers submit the source code of the app (even though there would be some merit in that idea). So, if G/A don’t have access to the source, what do they use for “red flags”? (no pun intended)
I would guess that they would check
- what the required permissions are
- what APIs are used
but in that case that isn’t more than Citizen Lab would have done anyway.
Fairly obviously any app that is permitted to access the internet and that references the API to do that has the potential for tracking and/or data exfiltration.
They’ve bowed down to China before, I wouldn’t be at all surprised if they did again.
And any app that can receive an update to its code.
So why not just bring two phones to the Olympics with you? Go out and buy a $40 phone and load only the required apps to it, and don’t use your normal Google account on it. This phone would be kept clear of all personal information except what is required to attend. If you’re traveling with friends, have them do the same and let them share your hoax-google account with you so that as you and they turn the phones on and off, the tracking of you and them bounces all over the map as an undefined person that is just sharing some ambiguous account. And keep it turned off in all except for the required times. Then bring your real personal phone with all of your normal apps and logins on it also. If the Chinese government spies on your phone then and your Google profile, they only get what you intend them to get, which includes a lot of mis-direction and no additional personal data. Everyone in your group could also friend the false person on Facebook and then share the false person’s posts with everyone in the group. That would allow everyone to stay in-touch and to communicate anonymously with everyone in the group, using either their personal/private phones or their $40 phone.
Use encryption and VPN services on your real personal phone and no security what-so-ever on the $40 phone. They might even think they have everything on you while they only have what you chose to let them have.
Bruce talks about it below. It looks like it collects a fair bit of data and is vulnerable.
Any half-decent environment would not permit an app to receive an update to its code that has not gone through the same process as the original code went through i.e. the process as far as submission to the store and the checks that G/A make. Otherwise this would be a loophole big enough to drive a bus through.
Also, an app probably doesn’t control its own updating i.e. updating is centralised through the store. There is user convenience in that, as well as developer convenience.
Bring no phones. Any phone that is handed over to the authorities as you enter the country is potentially compromised. If you have to bring a phone (e.g. for compliance) then bring one burner phone.
I wouldn’t recommend playing games with the Chinese government.
- they don’t have a sense of humour
- they are better resourced than you
- they are probably smarter than you
This may have been a thought experiment but no foreign spectators are allowed. Noone is travelling to the Beijing Winter Olympics with friends.
Sometimes that will work, sometimes it won’t. Believe it or not, the Chinese government knows about these. Many VPN services will simply be blocked. Any traffic that looks like VPN will likely be detected and then potentially blocked. But, OK, if you run your own VPN server, solely for your use, and it is set up carefully, you may get away with it.