The official Beijing Winter Olympics app was recently found to have security vulnerabilities when it comes to protecting sensitive user data. In particular, the app’s encryption system carries a significant flaw that enables middlemen to access documents, audio and files in clear text form.
The ‘My 2022’ app is required for all athletes, members of the press, and the audience.
Looking into the matter for Digital Journal is James Carder, Chief Security Officer at LogRhythm.
Carder outlines why certain apps, despite their popularity, continue to present a risk to users: “Apps such as ‘My 2022’ continue to be a massive target for cybercriminals due to the vast amounts of personal data that is stored within their virtual walls that can be manipulated at the criminal’s discretion.”
There is a political element to the app as well, in terms of open use and democracy. The My2022 app is subject to censorship based on a built-in list of keywords, which include the names of Chinese leaders and government agencies.
“The Beijing Winter Olympics app stores details about the daily activity of each of the athletes that can be used to identify where they are, where they will be and when, and what sensitive personal information they have to share to ensure eligibility to compete in the Olympics,” Carder says.
Carder says the app also grants permission to hear audio, which could be used by hackers to listen in on an athlete making a phone call.
The information stored in the app can allow for attacks, both logical and physical, and other ways to influence and impact the personal lives of athletes.
“These apps should have a base level of security applied, where they are tested and it is assured that they cannot be compromised by bad actors,” says Carder. “This is why there is such a thing as AppSec programs and secure application architectures, which encryption is foundational to.”