This Citizen Lab report analyzes the MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing. The report shows that the app has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.