OK, regardless of who commissioned it, I would want to know what the app does.
Is it open source? If it’s closed source then no amount of testing can really assure that it is not malicious. I would imagine that the examination so far is largely limited to seeing what APIs it uses.
A vulnerability may not be considered a vulnerability if the app is intentionally designed to compromise your privacy or security.
What permissions does the app require in order to run?
If the app isn’t doing anything malicious i.e. doesn’t have anything to hide then there’s no reason for it to be closed source. Right?
On top of that, a mandatory app implies a mandatory mobile phone, and a mobile phone implies tracking device. So even an app that basically does nothing becomes dubious if it is mandatory.
I’m wondering what will happen if a country turns up in Beijing and they just didn’t bring any phones.
Does the IOC have an explanation for why the app includes a list of “illegal words”?