The MY2022 app is a mandatory download for Olympians and looks like a security nightmare
A while ago, we heard that a handful of countries advised their respective Olympic teams to leave all personal electronics at home and use a “burn-in phone” in Beijing. This was of course done due to concerns about the Chinese government’s stranglehold on the internet and all electronic communications. Sometimes Big Brother really watches.
Turns out that advice was pretty solid, as researchers ripped the Android and iOS versions of the MY2022 app – which must be used by all Olympians – and found a few. really interesting things. Not the right kind of interesting either.
There’s a lot to cover in this Twitter thread, and none of it is good. Taken at face value, the application code on both platforms shows:
- The app takes full control of the microphone
- The app forces itself to the foreground so Android users don’t get a notification that it’s running
- The app can collect audio anytime
- The app sends audio files to servers located in mainland China
- The collected audio is processed by Chinese artificial intelligence company iFLYTEK, which has been blacklisted in the United States for security reasons
- Chinese brand phone users of Huawei, Xiaomi, Vivo, Meizu and Oppo devices also send data back to the manufacturer through the app
Ouch! It doesn’t give an air of confidence in using the app China is forcing athletes to install on their phones if they want to compete in the 2022 Winter Games. It’s also worth noting that Apple and Google have done a lot of work to make sure apps can’t do any of this. Still, no type of security protection is ever foolproof and this is a prime example. I tried to find someone in Beijing with an Android 12 phone to see if the microphone indicators are active, but I haven’t connected very well in the Olympian crowd. If so, please take a moment to help us.
It is very important to highlight the things that are 100% things happen that could happen. We know that the audio is processed by a company that the United States claims works for the Chinese Communist Party government. It is also a Chinese startup with offices located in China.
We also know that the app pushes its way to the foreground. If you are not aware, it means that the application runs as if it is displayed on your screen, even if it is not. It’s not a big practice, but the capability is there on Android and iOS because sometimes it’s a necessary evil.
We know that the audio, once captured, is sent to a server located in China. This makes perfect sense – a Chinese company does the processing and Chinese companies all have servers located in China. It’s not a big thing, but it’s an expected thing.
For the rest, well, the app could launch and record whatever it hears without the user. or anyone around the user, knowing. It could then send that data to a server where a great AI can process it and report anything it thinks should be heard by an actual human. Remember, China is a country that doesn’t have any kind of First Amendment type protections, and inside China’s borders, you can’t just say what you want. Especially any sort of criticism of the government, or talking about Winnie the Pooh.
Every good story has two sides. Enter Dan Goodin, another Ars Technica security researcher and journalist which is not quite sold on all these claims. However, he totally agrees that the app is shady AF and says that according to The Citizen Lab’s assessment, the app looks worrying.
Maybe the app can do these things, but there’s no evidence that it has or will.
It also tempers the discussion with a simple lack of evidence. The app may possibly do other things, but there’s no evidence that it has or will. He is also right. Part of the reason is that the app search is new and winter games 2022 has just started, but another part is how the mobile OS app permissions work. In the end, too much stuff gets bundled together and apps get permissions they don’t need because of it.
Ultimately, the only real solution in this sea of scary unknowns is to use a burner phone instead of one of the best Android phones. If everything you claim about the app is true, you’ll still send every noise you make to the CCP, but once you’re done with the 2022 Winter Olympics, you can throw the phone away in a trash can at the airport. Most of us won’t have to worry about that as we’re not attending the 2022 games, but similar situations can happen to anyone traveling abroad, especially when traveling to a country that does not respect your civil rights the way you’re used to.