Skip to main content

The MY2022 app is a required download for Olympians and looks like a security nightmare

Speed Skating Oval
Speed Skating Oval (Image credit: China Daily)

A while back we heard that a handful of countries advised their respective Olympic teams to leave all personal electronics at home and use a "burner phone" while in Bejing. This was, of course, done because of concerns about the Chinese government's heavy hand with the internet and all electronic communications. Sometimes, Big Brother really is watching.

It turns out that this advice was pretty solid, as researchers have torn apart the Android and iOS versions of the MY2022 app — which is required to be used by all Olympians — and found some really interesting things. Not the good kind of interesting, either.

See more

There is a lot to process in this Twitter thread, and none of it is good. Taken at face value, the code for the app on both platforms shows:

  • The app takes full control of the microphone
  • The app forces itself into the foreground so Android users won't get a notification that it is running
  • The app can collect audio at any time
  • The app sends audio files to servers located in mainland China
  • The collected audio is processed by Chinese AI firm iFLYTEK, which has been blacklisted in the U.S. over security concerns
  • Users of Chinese brand phones from Huawei, Xiaomi, Vivo, Meizu, and Oppo devices also send data back to the manufacturer through the app

Yikes! This doesn't give an air of confidence about using the app that China forces athletes to install on their phones if they wish to participate in the 2022 Winter Games. It's also worth noting that both Apple and Google have done a lot of work to make sure applications can't do any of this. Still, no type of security protection is ever foolproof and this is a great example. I've tried to find someone in Bejing with an Android 12 phone to see if the microphone indicators are active, but I'm not very well connected in the Olympian crowd. If you are, please take a moment to help out.

My2022 Data Policy

Source: The Citizen Lab (Image credit: Source: The Citizen Lab)

It's very important to point out the things that are 100% happening from the things that could happen. We know the audio is being processed by a firm the U.S. claims is working for the Chinese Communist Party government. It's also a Chinese startup with offices located in China.

We also know that the app is forcing its way into the foreground. If you're not aware, that means the app runs as if it is being displayed on your screen, even if it's not. It's not a great practice, but the ability is there on Android and iOS because sometimes it's a necessary evil.

We know that the audio, once captured, is sent to a server located in China. This makes perfect sense — a Chinese firm is doing the processing, and Chinese companies all have servers located in China. This isn't a great thing, but it is an expected thing.

As for the rest, well, the app could fire itself up and record everything it hears without the user. or anyone around the user, knowing. It could then send this data to a server where an excellent AI can process it and flag anything it thinks needs to be heard by an actual human. Remember, China is a country that doesn't have any sort of First Amendment-style protections, and when inside Chinese borders, you can't just say whatever you want. Especially any sort of criticism of the government, or talk about Winnie the Pooh.

Every good story has two sides. Enter Dan Goodin, another security researcher and Ars Technica reporter who isn't quite sold on all of these claims. However, he fully agrees that the app is fishy AF and says with The Citizen Lab's assessment the app seems worrisome.

Maybe the app can do these things, but there is no proof it has or will.

He also tempers the discussion with a simple lack of proof. The app can possibly do other things, but there is no proof it has or will. He's right, too. Part of the reason is that research into the app is new, and the 2022 Winter games just started, but another part is how mobile operating system application permissions work. In the end, too many things are lumped together, and apps get permissions they do not require because of it.

Pooh Bear

Source: Between Us (Image credit: Source: Between Us)

Bottom line, the only real solution in this sea of scary unknowns is to use a burner phone instead of one of the best Android phones. If everything claimed about the app is true, you'll still be sending every noise you make to the CCP, but once you're done with the 2022 Winter Olympics games, you can toss the phone into a wastebasket at the airport. Most of us won't have to worry about it because we're not attending the 2022 games, but similar situations can happen to anyone traveling internationally, especially when traveling to a country that doesn't respect your civil rights in the way you're accustomed to.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

15 Comments
  • The IOC is a joke
  • Yup...it's a sham
  • All sports are the same. People doesn't matter, only money. F1 is predominantly race in autocracies, on tracks built with slave labour. European football franchises wants to play all of their off season matches in these countries. The money is great, though. All to entertain the eccentric leader in (insert-country-here).
  • Huawei, Xiaomi, Vivo, Meizu, and Oppo and yet, people outside of China still purchases these phones. Do they think the info they enter into these phones is not making it back to the communists in China? Think again. Bad enough people turn their entire lives over to Facebook, twitter, instagram, etc. but to turn it directly to the Chinese gov;t is insane. Your info....not mine....
    And yes, I'm still peed that back in '13 the gov't of China stole information from the US Gov't Office of Personal Management and that info included mine. Peed also at the US gov't for not protecting my information better. (But since that day, the tax payers of the USA have been paying for my credit and personal watch protection through a company called MYIDCARE. Guess I should say thanks.)
    And why are people going to China for the games? The IOC should be dismantled and all fired for even considering sending the games to a country that is noted to have Uyghurs in slave camps?
  • Custom ROMs. Darn shame LG left the game. The V60 was pretty alright, also had hidden AES support. Which I don't know why that was hidden. And if you had the dual screen case the AES pen could work on it too. Creating a weird notebook experience that came in handy, until I found out the way you had to put the phone in and out of the case was actually hazardous to the USB C port and broke one of my USB C ports in the process. SO... haven't used my dual screen case since.
  • I never planned to purchase any of those phones. When my kids want to download an app, they ask me first (I have blockers and other software that alerts me if they did). i always check the permissions and the developer location. Iffy country or permissions, I tell them find something else. Even a burner phone advice isn't good. The folks will still install their apps, and logins. They need to be told to create a separate email account, and they could then download needed software with that. However, don't login still with your regular instagram account. You could create a "Olympics only" account, and post there. Once back, you could download the pictures and repost to your regular accounts.
  • Are you telling me a country that's infected the world twice with two different covid strains in the 21st century, uses human slave labor, is the number one polluter in the world of land, air and sea; and harvests organs from living humans who dare defy the regime, isn't above reproach? NO, say it ain't so.
  • And the prize goes to......
    This wonderful gent right here!
  • I see no different what that required app does than what most other apps does or have the ability to do.
  • I wonder if an Android 12 phone running the app would get a privacy notification that the mic is in use while the app records audio? My assumption has been that both the camera and mic privacy notifications would be bypassed already by spy tools developed or purchased by someone with the financial resources of a nation state.
  • It just goes to show Apple and Google are in bed with the CCP. Any other app on their app stores would be banned for doing these things. Just like the NBA.
  • If you look up MY2022 on Google Play, at least they are honest under permissions that they essentially can get full control of your phone, including deleting content on your SD card and engaging screen unlock. Pathetic
  • Wonder how this app got approved by Apple???
  • Apple lets China get by with anything. Otherwise they wouldn't be allowed to sell their phones there. Profits mean more to Apple than anyone's safety, despite what they claim in their marketing materials.
  • It's disgusting the IOC allowed the Winter Olympics to be held in a communist nation like China.