https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/
… MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers
… some sensitive data is transmitted without any SSL encryption
猜猜是 bug 还是 feature
(citizenlab 猜测可能是政治审查任务间接导致的软件开发 feature,而非直接的政治feature)
citizenlab 在2021年12月3日提交了以上issue给北京奥组委,至今无回应。截止1月17日的新版本仍存在上述问题,并且新加的健康码功能的SSL依旧 failed to validate SSL certificates 。
至于打包进去但未实际使用的敏感词审查模块,估计就是外包开发通用的什么SDK包。
citizenlab 顺手把这份敏感词表也给公开了。
https://github.com/citizenlab/chat-censorship/tree/master/olympics