Security

Facebook Onavo Protect doesn't protect against Facebook

VPN app collects all sorts of details

By Thomas Claburn in San Francisco

19 SHARE

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off.

In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, published his findings about the data collected by Onavo Protect for iOS.

The app, says Strafach, uses a Packet Tunnel Provider app extension – part of Apple's iOS SDK – to handle the VPN's network traffic routing. He claims the following data is being sent to Facebook:

So while the VPN may be protecting against eavesdropping on traffic traveling over an untrusted wireless network, it's simultaneously reporting details about its user to Facebook.

Strafach, in an email to The Register, said it's not clear what Facebook is doing.

"I cannot figure out why they collect the information that I am seeing," he said. "The screen thing does not seem relevant to VPN usage, it just tells them (I guess) how long you are actively on your phone during the day if I understand correctly."

Strafach said data usage tracking could make sense if Facebook were looking to identify those using too much data on its VPN.

"But the weird part is that the APIs called would tell them total usage even when not connected to the VPN, and additionally they could account for VPN usage on the server side if they wanted to," he said.

The Onavo privacy policy – more accurately described as a data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers." And the app says it may use collected data to "provide, analyze, improve, and develop new and innovative services for users."

So on some level, anyone using the app, much less Facebook's other services, should be aware that they've surrendered their data, despite Facebook's assertion that Onavo "helps keep you and your data safe when you go online, by blocking potentially harmful websites and securing your personal information."

Facebook did not immediately respond to a request for comment.

Strafach argues that Facebook should be clearer about what it's doing with the data.

"They can easily clear things up by explaining more precisely why they collect certain data and what they do with it, so I don’t understand why they are so vague about it," he said. "I do hope they are being respectful of user privacy and it would be very nice if they clarified that I think." ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

More from The Register

iBye, bad guy: Apple yanks 18 iOS store apps that sheltered advert-mashing malware

Dev may not have known code was being used for scam traffic

Bad news, developers: Apple Mac App Store tells cross-platform Electron apps to get lost

Programmers who reoffend risk permanent exile from the fondleslab empire

Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

Cloggies less than chilled out over Windows telemetry

From July, you better be Putin these Kremlin-approved apps on gadgets sold in Russia

New law calls for pre-in-Stalin nationally mandated code

Egyptian government caught tracking opponents and activists through phone apps

Intelligence services developed system, says security outfit

Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps

Walled-garden Android platform security easily copied

Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much

The App Defense Alliance posse will scrutinize Android app code before release

Forbidden fruit of smut, gambling iOS apps found flourishing using Apple enterprise certs

Heal thyself

Huawei new smartphone won't be Mate-y with Google apps as trade sanctions kick in

Chinese mobe maker says screw you, we'll build our own

MacOS wakes to a bright Catalina sunrise – and broken Adobe apps

Still, it could be worse, you could be one of cloud slinger's Venezuelan customers

Whitepapers

Who Needs Malware?

Learn how fileless techniques work and why they present such a complex challenge.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Security Advisory: Is Your Enterprise Data Being "Phoned Home"?

This report provides four real-world examples of vendors “phoning home” data in an unauthorized manner, observed by ExtraHop customers in 2018 and the first weeks of 2019.

63% Say Networks are Wrecking Office 365 Collaboration

TechValidate, on behalf of Zscaler, conducted a survey of 250 U.S. and European organizations that had deployed Office 365.