Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
Space shuttle ready for new mission in California
-
Modigliani nude sets European record at London auction
-
Tunisia coach Renard demands pride in final World Cup outing
-
Trump seeks $88 bn in extra funding, mostly for Iran war
-
Switzerland, Canada advance as Brazil eye last 32
-
Wyatt-Hodge stars as England ease into Women's T20 World Cup semi-finals
-
Bosnia in strong position to reach last 32, Qatar out of World Cup
-
Switzerland down World Cup co-hosts Canada to top Group B, both progress
-
Brent falls below $75 as Nasdaq drops for 3rd straight day
-
'New rules': life in world epicentre of jihadist terror
-
Korda chases 3rd straight major at Women's PGA Championship
-
Trump clashes with Republicans in testy Capitol visit
-
Zimbabwe Senate approves bill to extend presidential term
-
Scheffler says PGA Tour headed 'in right direction' with two-tier system
-
Pulisic fitness boost as US seek knockout momentum against Turkey
-
Mamdani-backed leftist candidates win New York Democratic primaries
-
Hantavirus outbreak should formally end on July 2: WHO
-
Britain's Draper continues promising start under Andy Murray
-
Hong Kong arrests two for allegedly selling 'seditious' material
-
Laporte wary of Uruguay will to avoid World Cup exit against Spain
-
US promises to protect Gulf states' interests in Iran talks
-
Major Nigeria police reform edges forward with senate approval
-
Trials of two Ebola treatments to start in DRC next week: WHO
-
Trump consolidates rightward shift in Latin America
-
Judge asks why Kennedy Center covering facade after Trump's name removed
-
Olympics to offer all Games competitors $10,000 grants
-
Left-wing candidate concedes tight Colombia election
-
US health deals cause trouble for Kenya govt
-
Stocks rebound after tech rout, Brent falls below $75
-
Socialism with a twist or crony capitalism? Cuban reforms spark debate
-
Berlin unveils monument to Jehovah's Witnesses murdered by Nazis
-
'Inhumane': Gaza flotilla activists recount Israeli detention ordeal
-
'Fingerprints' of black hole's event horizon detected for first time
-
Spurs sign Dubravka as goalkeeper cover
-
Verstappen seeking home boost with Red Bull upgrades
-
'You have to work': Riders brave Rome heat for survival
-
England captain Stokes 'man enough' to apologise for curfew breach
-
France detects first Ebola case outside Africa in current outbreak
-
England captain Stokes 'man enough' to apologise after curfew breach
-
'GTA VI' preorders mark first test for biggest game of 2026
-
German naval ambitions suffer setback as warship order axed
-
Stocks rebound after tech rout, oil prices drop
-
London police to extend use of live facial recognition, drones
-
Australia spy chief warns of Iran terror threat
-
Europe swelters under record-breaking heatwave
-
Heatwave-hit Europe must adapt healthcare: WHO
-
Iran says deal to end Mideast war 'declaration of US defeat'
-
Euclid telescope snaps best photo yet of Milky Way's heart
-
S.Korea chip giant SK hynix seeks $29 bn in Nasdaq listing: regulatory filing
-
French-German tank maker KNDS fires starting gun on mega-IPO
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
F.Cardoso--PC