Side Channel Exploited by My2022 App

Recently, Canada’s Citizen Lab released a detailed investigation of the mobile app provided by the Government of the People’s Republic of China that appears mandatory for all attendees of the upcoming Winter Olympic games. We took a look to see if there was anything else we could find (version 2.0.4, released January 2022), and noticed evidence of a side channel being exploited. In particular, we found that the MAC address of the mobile device is being sent to the domain “bigdata.beijing2022.cn”.