Security

Facebook Onavo Protect doesn't protect against Facebook

VPN app collects all sorts of details

19 Got Tips?

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off.

In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, published his findings about the data collected by Onavo Protect for iOS.

The app, says Strafach, uses a Packet Tunnel Provider app extension – part of Apple's iOS SDK – to handle the VPN's network traffic routing. He claims the following data is being sent to Facebook:

So while the VPN may be protecting against eavesdropping on traffic traveling over an untrusted wireless network, it's simultaneously reporting details about its user to Facebook.

Strafach, in an email to The Register, said it's not clear what Facebook is doing.

"I cannot figure out why they collect the information that I am seeing," he said. "The screen thing does not seem relevant to VPN usage, it just tells them (I guess) how long you are actively on your phone during the day if I understand correctly."

Strafach said data usage tracking could make sense if Facebook were looking to identify those using too much data on its VPN.

"But the weird part is that the APIs called would tell them total usage even when not connected to the VPN, and additionally they could account for VPN usage on the server side if they wanted to," he said.

The Onavo privacy policy – more accurately described as a data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers." And the app says it may use collected data to "provide, analyze, improve, and develop new and innovative services for users."

So on some level, anyone using the app, much less Facebook's other services, should be aware that they've surrendered their data, despite Facebook's assertion that Onavo "helps keep you and your data safe when you go online, by blocking potentially harmful websites and securing your personal information."

Facebook did not immediately respond to a request for comment.

Strafach argues that Facebook should be clearer about what it's doing with the data.

"They can easily clear things up by explaining more precisely why they collect certain data and what they do with it, so I don’t understand why they are so vague about it," he said. "I do hope they are being respectful of user privacy and it would be very nice if they clarified that I think." ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

Keep Reading

GSMA suggests mobile carriers bake contact-tracing into their own apps – if governments ask for it

Working group already probing Bluetooth performance on myriad devices to help developers

So Darned Kind of you, Facebook: SDK bug sends popular iOS apps crashing earthwards

You're unlikely to hear someone inflicting their iOS Spotify playlist on the bus today

Indian app that deleted Chinese apps from Androids deleted from Play Store

Consumer boycott clicktivism at a time of border tensions? There was, briefly, a million-download app for that

Google and Parallels bring Windows apps to Chromebooks, in parallel with VMware and Citrix

And then derides them as legacy apps you’ll put up with while you ascend to cloud

India bans 59 apps it says have privacy, national security problems. In a massive coincidence, they’re all Chinese

They may have a point with some of them, though

Containers to capture 15% of all enterprise apps across 75% of business by 2024

But the real money is in services and IaaS, not software, says Gartner’s first lash at container futures

Apple bans COVID-19 games and restricts virus-related apps to authoritative souces

No virus-fragging fun unless you’re actually fragging viruses – and no universal developer fee waiver either

Chromium Edge shored up against unwanted apps, peekable notifications in Surface Duo, and a Power Apps T-shirt contest

Roundup Also, a new data centre region beneath Spain's Azure skies

As the US maybe gets serious about coronavirus-tracking apps, Congress wakes up to the privacy risks

Just what will happen to all that tasty location and contact data?

NY Attorney General warns Apple, Google to police COVID-19 tracing apps in their souks – or she will herself

Worry about user privacy also results in Norway pulling its virus tracker

Tech Resources

Has Recent Rapid Cloud Adoption Increased Your Threat Risk?

It’s time to embrace cloud capabilities that can help businesses address speed to market through agility, lower TCO and an increased security posture.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Why Data Growth is Not a Storage Problem

Storage capacity’s running out, backups lengthen, and budgets can’t keep up with the unstructured data deluge. Learn how Komprise's Intelligent Data Management can help you …