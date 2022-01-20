BEIJING • A smartphone app built by China to monitor the health of attendees at next month's Beijing Winter Olympics contains security flaws that makes it vulnerable to privacy breaches and hackers, according to a report released by Canadian researchers on Tuesday.

But a Games official has insisted that it is safe to be used.

The MY2022 app was built by the Beijing Organising Committee mainly to track and share Covid-19-related medical information among the athletes during the Feb 4-20 Games.

Researchers with Toronto's Citizen Lab project said MY2022 failed to properly encrypt the transfer of personal data, leaving it vulnerable to hackers.

They also found that the app's privacy policy does not specify which organisations it would share the users' information with.

The International Olympic Committee (IOC) said it had conducted independent assessments on the app and had not found any "critical vulnerabilities" and that it was not compulsory to install the app.

Yu Hong, the director general of the organising committee's technology department, said yesterday that the main function of the app is to monitor people's health and that China follows strict rules to protect data.

All of the MY2022 app's technology aspects have been validated by the relevant app stores, the Beijing 2022 official said at a briefing hosted by the Chinese embassy in the United States.

She was speaking via video from Beijing.

Yu also said that technology vulnerabilities were natural when developing this kind of app, which her department was constantly updating to remove such issues.

The Citizen Lab researchers said they found the flaws in the iOS version of the app after creating an account in it.

They were unable to set up an account in the Android version but said the security flaws existed in both versions of MY2022.

The report said MY2022 failed to validate SSL certificates, which are needed to authenticate a website's identity and enable encrypted connection.

This can be exploited by hackers to transmit the data to malicious sites.

Non-encrypted data is transmitted to "tmail.beijing2022.cn" by MY2022.

"Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company," the report said.

Citizen Lab said it had informed the organising committee on Dec 3 of its security concerns but had not received any response.

Meanwhile, a media representative of the Olympic Village confirmed to China's Global Times on Tuesday that the village has entered "closed-loop" management.

Staff entered the village weeks in advance and have all received booster shots, while the first group of athletes will start to move in on Sunday.

REUTERS