By Sophie Williams & Frances Mao
The Beijing Winter Olympics app that all Games attendees must use contains security weaknesses that leave users exposed to data breaches, analysts say.
The My2022 app will be used by athletes, audience members and media for daily Covid monitoring.
The app will also offer voice chats, file transfers and Olympic news.
But cybersecurity group Citizen Lab says the app fails to provide encryption on many of its files. China has dismissed the concerns.
Questions about the app come amid a rise in warnings about visitors’ tech security ahead of the Games, which begin on 4 February.
People attending the Beijing Olympics should bring burner phones and create email accounts for their time in China, cyber security firm Internet 2.0 said on Tuesday.
Several countries have also reportedly told athletes to leave their main devices at home.
The Citizen Lab report said it had found a “censorship keywords” list built into the app, and a feature that allows people to flag other “politically sensitive” expressions.
The list of words included the names of Chinese leaders and government agencies, as well as references to the 1989 killing of pro-democracy protesters in Tiananmen Square, and the religious group Falun Gong, which is banned in China.
The analysts noted that these features and security flaws are not uncommon for apps in China but posed a risk to users nonetheless.
Analysts said the “illegal words” file appeared currently to be inactive, but it was unclear.
All visitors to the Games are required to download the app 14 days prior to their departure for China, and use it to record daily their Covid status.
For foreign visitors they also need to upload sensitive information already submitted to the Chinese government – like passport details and travel and medical histories.
Citizen Lab said transmission weaknesses in the app’s software could lead to easy exploitation of data by a hacker, if targeted.
In a report on Tuesday, Chinese state media outlet Global Times dismissed concerns about the app, saying “all personal information will be encrypted to ensure privacy”.
It compared the app to one that had been used at the Tokyo Games.
Cyber security firm Internet 2.0 has also warned of potential security risks during the Olympics.
In a report seen by the BBC, it stressed the need for burner phones and reminded people not to use these devices after leaving China
The report looked at some of the technology sponsors of the Games and their products in order to show “the sophisticated and broad surveillance culture that exists in China”.
One product, a VPN by Qi-Anxin, was able to capture a significant amount of user data, the report said. Under China’s national security laws, authorities can request to access this data.
“China’s national data security laws are not designed with the Western values of privacy and liberty and do not offer the same level of protection,” the report said.
Team USA has encouraged its athletes to use a new device, according to USA Today.
A bulletin seen by the US outlet allegedly “encouraged” burner phones and rental or disposable computers for members of its team.
“Like computers, the data and applications on cell phones are subject to malicious intrusion, infection and data compromise,” the bulletin said.