This report reviews the cyber security and privacy of the IOC Paris 2024 Olympics android mobile application. We conducted tests on the IOC app on 25-27 July 2024 on a Samsung Android phone in the United States, including both static tests using Malcore and dynamic tests over the test period to verify what the code does in operation at the time of testing.

Malcore is a reverse engineering cyber security tool for files, malware and cyber intelligence that also provides detailed analysis of android mobile applications. Malcore provides an objective annual industry benchmark report for social media applications.

Free Malcore Account

Summary of Findings

All users are encouraged to “REJECT ALL’ cookies and pixels.

1. If your country has a restricted use policy on the use of TikTok software on government devices, it is probably necessary to ‘reject all’ cookies to remain compliant with these policies, See figure 1. We recommend clicking ‘Reject all’ cookies within the security settings to block TikTok, Meta and Google tracking pixels.

2. The IOC Paris 2024 app has a Malcore score of 52, poorer than most social media applications in 2024. When the user ‘accepts all’ tracking cookies and software development kits (SDKs) 12 third parties are able to receive user data.

   The score would effectively halve only when the user chooses to “reject all” data sharing with third parties. This is due to the use of One Trust SDK as it allows users to ‘reject all’ third parties.

3. Also significant, we found that Huawei Mobile Services Core is present within the codebase but  not in use during our testing when using a Samsung device. It is an open question to the developers in what circumstances is Huawei Mobile Services Core in operation….for example, only if the app is running on a Huawei phone? And if so, is this identified to the user? We note that we did not have the capacity to test the application under multiple variations -- i.e. such as using a Huawei device but there was no warning to the user that Huawei is a third party SDK within the application.

Figure 1. Reject All

Malcore Score Unpacked

As noted above, the Malcore static analysis of the Paris 2024 Olympics app resulted in a Malcore score of 52, which is a relatively poor score for privacy and security. With Malcore Score the higher the score the higher the risk from a security and privacy perspective. How scores are calculated is objective and published.

For context, TikTok scored 63.1 and 60 in 2023 and 2024. 52 is quite a poor score considering the industry average in 2024 was 28.96, see figure 2 for the relative comparison with industry. For more context, the Paris 2024 Olympics app scored more poorly than every other social media app in the 2024 survey except for Russia’s VK and TikTok because it holds 12 software development kits (SDKs). Of note the application shares data with Google, Meta, TikTok, SAP and several other third parties when the user ‘accepts all’ policies.

Figure 2. 2024 Malcore social media analysis

TikTok Pixel and other trackers

The Paris 2024 application embeds the TikTok tracking pixel as a javascript embed if the user “accepts all.”  It uses the code

name:"TikTok",slug:"tiktok",domain:"tiktok[dot]com",script:"//www[dot]tiktok[dot]com/embed[dot]js"

Based on our analysis the TikTok Pixel posts the following data. See figure 3.

• Timestamp

• Browsing activity

• Device type

• Browser type, and

• Encrypted email and phone number of the user

Figure 3. TikTok Pixel analysis.

If your country has a restricted use policy on the use of TikTok software on government devices, it is probably necessary to ‘Reject all’ cookies to remain compliant with these policies. The use of the TikTok pixel could still cause some non-compliance risks associated with these policies, although the pixel collects far less data than the TikTok phone application.

In Dec 2023 the SMH Newspaper tested the TikTok Pixel and found on some occasions it did not wait for users consent before collecting user data. Due to this lack of consent, and following government bans on TikTok coupled with concerns around Chinese ownership having to follow Chinese data-sharing laws, some companies removed the TikTok tracking pixel.

During Malcore static analsyis we found the additional following SDKs present in the codebase of the application, see figure 4.

Figure 4. SDKs found by Malcore

The inclusion of One Trust SDK is a very positive aspect of the application. It has been designed to allow the user to turn off SDKs and all pixels as part of accepting terms of service or in security settings. If the user clicks ‘reject all,’ the relative Malcore score would effectively halve bringing it below the 2024 industry average. When we tested the application after ‘reject all’ is selected we confirmed third party SDKs were not able to share data.

We did note the application still functioned well after ‘reject all’ was selected and question why the application needs all 12 SDKs and pixels embedded to begin with as most of these services are not required for the application to function.

The ‘reject all’ feature is the step required to be enabled to turn off the TikTok and Meta tracking pixels.  This feature reflects a privacy-first culture, and we encourage all users to ‘reject all’ cookies in the security settings of the app. See figure 2 for the key step to ‘reject all’ cookies and SDKs.

If the user clicks ‘accept all’ on a Samsung device then user data can be sent to the following third parties:  

·       Paris 2024

·       TikTok

·       Google

·       Meta/Facebook

·       Gigya Android (SAP)

·       Urbanairship Core

·       OneTrust Android

·       Youbora

·       BDT SDK Mark

·       BDT SDK Perf

·       Deltatre Sportdatacomponents

·       Branch Android

The iOS lists similar but not exactly the same third parties when running the iOS verison of the Paris 2024 app.

When ‘Reject all’ is enabled

Despite the praiseworthy ‘Reject all’ feature,  dynamic testing revealed that the app still does collect and post some location-based data. The app collects location data from the public IP address and posts this to

https://geoip[dot]olympics[dot]com

The domain then sends back to the app the following location data which includes country, city, area code, connection type and speed, postal code. The app also collects AdiD, Device ID, build information, local & public IP address, screen resolution, installation time and country of the user every time the application requests data from its servers. In theory by still collecting AdID the Olympics has the capability to use this to enrich their data with third party location data unwinding the ‘Reject all’ choice by the user.

We would suggest the Olympics not collect AdID after the user chooses to “Reject all’

Location Data

Static analysis revealed that the application’s code contains the capability to collect very accurate location data based on GPS, including the longitude and latitude of the user, as well as the time, speed, altitude and bearing of the user. See figure 5 for this location data code. While the code was not posting to third parties during Malcore’s dynamic testing….the capability exists within the Paris 2024 application.

Figure 5. Fine Location Permission

Huawei Mobile Services

Huawei was not identified to users on the third-party list of companies with access to their data. Despite this, Huawei Mobile Services Core was present within the codebase during static analysis, including Huawei location services (see figure 6), with permissions granted to the app.

‘com.huawei.permission.ACCESS_HW_KEYSTORE’

During dynamic analysis we could not verify that the app enabled Huawei Mobile Services Core. However, during dymanic testing within Google’s VirusTotal tool, within behaviour, Huawei Mobile Services Core was shown to have constructed in memory patterns with domains online in Russia and China operated by Huawei. These are:

metrics1-drcn.dt.dbankcloud.cn:44

metrics5.dt.dbankcloud.ru:644

It is an open question of the developers of the Paris 2024 app why Huawei Mobile Services core is present within the codebase but not identified to the user when on all other third parties are. Another open question is if the codebase is used only in certain circumstances -- for example only if a Huawei phone is running the Paris 2024 app.

Figure 6. Hauwei location