Facebook caused a lot of raised eyebrows when it incorporated the Onavo Protect iOS VPN app into its own app in a feature it called Protect.
Facebook billed it as protecting user data, but in practice it does the opposite, allowing Facebook to collect and analyze your data. A new analysis of the Onavo Protect code by security researcher Will Strafach raises more questions …
Strafach found that the app is collecting data even when the VPN is switched off.
I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
- When user’s mobile device screen is turned on and turned off
- Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
- Total daily cellular data usage in bytes (Even when VPN is turned off)
- Periodic beacon containing an “uptime” to indicate how long the VPN has been connected
Data collected includes cellular carrier name, mobile network code, mobile country code, locale/language and iOS version.
Normally, if you want to find out what data an app is transmitting back to a server, you create a proxy to intercept the traffic – but Strafach notes that is difficult in this case.
Due to the nature of conducting analytics data uploads while the Packet Tunnel Provider is running, it is likely that data uploads will mostly occur inside the Onavo VPN tunnel.
In other words, the data being sent to Facebook is encrypted.
Strafach says his analysis raises a number of questions, including how it uses some of the data (like when your screen is on or off) and whether the data collected is in any way associated with the user’s Facebook account?
As always, our advice is to be wary of any free VPN: these generally make their money by selling the data. The safest course is to opt for a VPN that keeps no user logs.
Photo: Dado Ruvic/Reuters