Epoch Times article by By and
A U.S. researcher is flagging a security flaw in a smartphone app that is mandatory for all those attending the 2022 Winter Olympics, describing what he found as “nefarious and concerning.”
A U.S. researcher is flagging a security flaw in a smartphone app that is mandatory for all those attending the 2022 Winter Olympics, describing what he found as “nefarious and concerning.”
Jonathan Scott, lead mobile security engineer at fintech company cLabs, discovered the flaw recently after reverse-engineering both the iOS and Android versions of the MY2022 app—a tool developed by Beijing to track users’ COVID-19 health status and to provide information about the Games.
What Scott also discovered was that the AI algorithm behind the app is developed by iFLYTEK Co., a blacklisted Chinese tech firm known for its ties with Beijing’s human rights abuses in China’s far-western region of Xinjiang.
In an interview with EpochTV’s “China Insider” program, Scott explained what the flaw is—the app listens to all audio and when it detects its users saying words deemed sensitive by Beijing, it collects the audio and sends it to servers in China for analysis.
The app automatically moves to the phone’s foreground once it is triggered by sensitive words, even if the phone’s user leaves the app in the background, according to Scott.
“It’s an invasive application … if you are participating in the Winter Olympics 2022, you have no other choice but to have this installed,” he said.
As for what these sensitive words are, Scott said they are the words that make up a censorship keyboard list previously reported by the Citizen Lab. The list serves what he called a “wake-up feature” to trigger the app’s recording function.
The Citizen Lab, a research institute at the University of Toronto, released its digital forensic analysis on Jan. 18, discovering that the app’s encryption to protect users’ audio files and health and customs forms can be vulnerable to hackers.
The analysis also found that the app has the ability to censor 2,442 keywords, blacklisted words considered “politically sensitive in China.” It concluded that the list was inactive on the app—contrary to what Scott has found.
“I’m fairly confident they did not decrypt the iOS application, so they couldn’t actually see these functions happening. Because it’s very evident once you’ve decrypted the iOS application,” he said what he believed that Citizen Lab researchers didn’t do.
Scott said the code of his research is available for people to see at his GitHub repository and he will release a full report on his findings.
He also took notice of a questionable change of the app on the Apple App Store download page. The app’s privacy policy changed from no data collected on Jan. 22 to collecting only contact information from its users.
In October 2019, the Trump administration placed iFLYTEK and 27 other Chinese companies and public security bureaus on a U.S. Commerce Department’s blacklist.
The department’s filing said the “entities have been implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uyghurs, Kazakhs, and other members of Muslim minority groups.”
Several Western governments, including the United States and the United Kingdom, have determined that the Chinese regime’s policies in Xinjiang amounted to genocide. An estimated 1 million people, most of them Uyghurs, are currently being detained in internment camps where they are known to be subjected to abuses, including forced sterilization, forced abortion, rape, torture, forced labor, and the removal of children from their families.
“It is exactly this type of behavior that got them blacklisted. It’s the monitoring of people. … It’s the human rights violation as it pertains to data privacy, that’s what it came down to,” Scott said.
The question now falls on whether the app should be available on Google and Apple’s apps stores.
“For Apple and Google to allow a blacklisted company to actually be on even Americans’ phones, I mean, there’s an issue there, right?” Scott said. “We cannot transact with them at all, but yet we’re forced to have this on our devices.”
Several countries—including Australia, Canada, the United States, and the UK—have announced diplomatic boycotts of the 2022 Winter Olympics, to be held in China’s capital Beijing from Feb. 4 to Feb. 20.
Apple and Google did not immediately respond to a request for comments.