A US security researcher has decompiled the app that is mandatory for participants in the Beijing Winter Olympics and is now raising serious allegations against China. Accordingly, the app should make sound recordings: “I can definitely say that all audio recordings of the Olympians are collected, analyzed and stored on Chinese servers,” explains security researcher Jonathan Scott on Twitter. Other experts are skeptical.
Scott points to hints in the code that the Chinese developers of the app have also integrated components from other manufacturers, including modules from the Chinese company iFlytek, which can also process audio. He concludes that the app is constantly listening to all logged-in users and sending the data to Chinese servers. Scott has published the decompiled code and assets of the app for Android and iOS on Github.
So far no evidence
So far, Scott has not provided any evidence that the app is constantly making recordings and passing them on – for example based on network traffic. In order to understand this, you would have to be logged in – and only accredited participants in the games have access to the app. Several other IT security experts pointed this out in a Twitter space with Scott on Friday.
It is common for third-party components to be found in the code – this is exactly what software development kits (SDK) are for. As a rule, there is not much cleaning up and optimization in the executable file that is created. In this way, components that the SDK offers end up in it without the app also using these additional functions.
Security researchers at the University of Toronto’s Citizen Labs had previously found weaknesses in the encryption of the app’s client-server communication. The Olympians should also store medical data such as the vaccination status in the app. According to Citizen Labs, it is unclear with whom all this information is shared. In combination, the private data are therefore insufficiently protected.
Sports associations skeptical
Sports associations are also critical of the app. The German Olympic Sports Confederation (DOSB) and other state associations have recommended that athletes not install My2020 on their personal device. The DOSB provides the German delegation with smartphones for this purpose. The Dutch National Olympic Committee (NOK) has reportedly distributed “clean” equipment to be destroyed upon return from China.
The Chinese smartphone manufacturer Xiaomi was recently confronted with accusations of keeping censorship lists in its smartphones. The company should be able to switch this on and off remotely, concluded IT security authorities from Lithuania and Taiwan. However, the Federal Office for Information Security (BSI) found no evidence of this.
(dmk)