Chinese companion app sends unsecured data
The protection of our personal data becomes more and more important with every passing year. While a decade ago we rarely heard about cyber attacks, we now live in an age in which unauthorized data sets are migrating from A to B almost every day. Just this week, over 500,000 Red Cross records were stolen [1]since the data is particularly sensitive, the leak is a disaster.
In addition to the mandatory information that is requested about us every day, we are also happy to disclose data about our mobile devices. Most of the time we don’t even know what is being collected about us or where it is even being sent to. Privacy labels, such as those from Apple, also give us a false sense of security [2].
A recent example from China shows that communication between the app on the end device and the operator’s server can lead to serious security gaps. Because visitors to the Olympic Games in Beijing have to download an app designed by the Beijing Committee and leave it on their devices during the games. The problem: The app collects and sends some data.
This is nothing special in itself, but in the context of the Chinese app there is a fatal error in the validation of SSL certificates. These certificates are normally exchanged between the server and the end device, which is how the server identifies itself to the app. In this way, sending data to the wrong recipient can be almost completely ruled out.
It becomes problematic if, as in the example of the MY2022 app, you do not check where the data is being sent at all, because then third parties can simply intervene in the communication and read the data without any problems. Researchers found this vulnerability in version 2.0.0 for iOS and 2.0.1 for Android. The developer may even be breaking local laws with this, the Chinese counterpart to the GDPR does not actually allow such careless handling of data.
This means that some sensitive information collected within the app can be derived and resold. In addition to the health status of the visitor, this includes travel information or device data. An intention to make it easier for the Chinese government to collect data can actually be ruled out. After all, the data protection declaration already says that information is also gladly passed on to the state.
Via gizmodo
