Security

Facebook Onavo Protect doesn't protect against Facebook

VPN app collects all sorts of details

19 Got Tips?

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off.

In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, published his findings about the data collected by Onavo Protect for iOS.

The app, says Strafach, uses a Packet Tunnel Provider app extension – part of Apple's iOS SDK – to handle the VPN's network traffic routing. He claims the following data is being sent to Facebook:

So while the VPN may be protecting against eavesdropping on traffic traveling over an untrusted wireless network, it's simultaneously reporting details about its user to Facebook.

Strafach, in an email to The Register, said it's not clear what Facebook is doing.

"I cannot figure out why they collect the information that I am seeing," he said. "The screen thing does not seem relevant to VPN usage, it just tells them (I guess) how long you are actively on your phone during the day if I understand correctly."

Strafach said data usage tracking could make sense if Facebook were looking to identify those using too much data on its VPN.

"But the weird part is that the APIs called would tell them total usage even when not connected to the VPN, and additionally they could account for VPN usage on the server side if they wanted to," he said.

The Onavo privacy policy – more accurately described as a data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers." And the app says it may use collected data to "provide, analyze, improve, and develop new and innovative services for users."

So on some level, anyone using the app, much less Facebook's other services, should be aware that they've surrendered their data, despite Facebook's assertion that Onavo "helps keep you and your data safe when you go online, by blocking potentially harmful websites and securing your personal information."

Facebook did not immediately respond to a request for comment.

Strafach argues that Facebook should be clearer about what it's doing with the data.

"They can easily clear things up by explaining more precisely why they collect certain data and what they do with it, so I don’t understand why they are so vague about it," he said. "I do hope they are being respectful of user privacy and it would be very nice if they clarified that I think." ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

Keep Reading

Google Apps Scripts debugger is buggered for devs using V8 runtime: Fix coming... in Q4

'We need this issue solved ASAP'

Google bans stalkerware apps from Android store. Which is cool but... why were they allowed in the first place?

Disclosed tracking, helicopter parenting programs are still kosher

Dating apps swiped left on Pakistan’s request to clean up their acts, bans followed

Telecoms Authority says it could learn to love Tinder and Grindr if they open hearts and minds

India bans a further 118 Chinese apps as physical and online tensions escalate

PUBG, Alipay, Baidu and more exiled

India awards apps that offer citizens Microsoft and Google alternatives

And bans future imports of much military tech

GSMA suggests mobile carriers bake contact-tracing into their own apps – if governments ask for it

Working group already probing Bluetooth performance on myriad devices to help developers

So Darned Kind of you, Facebook: SDK bug sends popular iOS apps crashing earthwards

You're unlikely to hear someone inflicting their iOS Spotify playlist on the bus today

Indian app that deleted Chinese apps from Androids deleted from Play Store

Consumer boycott clicktivism at a time of border tensions? There was, briefly, a million-download app for that

Google and Parallels bring Windows apps to Chromebooks, in parallel with VMware and Citrix

And then derides them as legacy apps you’ll put up with while you ascend to cloud

India bans 59 apps it says have privacy, national security problems. In a massive coincidence, they’re all Chinese

They may have a point with some of them, though

Tech Resources

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Accelerate Your Journey to the Cloud

Increasingly, enterprises are looking to the cloud to run their core mission-critical systems and the cloud is often the primary platform for launching new applications.

Deep Analytics: A New Way to Manage Unstructured Data

Create a virtual data lake to search, tag, and operate on all of your data across your enterprise.