Skip to content
Naked Security Naked Security

Facebook pulls its privacy-violating Onavo VPN from Apple’s App Store

Apple last week suggested that Facebook remove its Onavo security app from the App store due to privacy rule violations. On Wednesday, Facebook complied.

Apple last week suggested that Facebook remove its Onavo security app from the App Store due to privacy rule violations. On Wednesday, Facebook complied.
Onavo, an Israel-based company that Facebook acquired in 2013, has been raising eyebrows for months. Facebook had been pushing people to download the virtual private network (VPN) app for “protection” without mentioning that it was phoning home to Facebook to deliver users’ app usage habits… even when the VPN was turned off.
Back in March, after he saw media coverage of the app’s behavior and decided to see for himself what it was up to, Sudo Security Group CEO Will Strafach published his findings about the data collected by Onavo Protect for iOS.
Strafach said that he found that Onavo Protect “uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected” …in order to periodically send this data to Facebook as the user goes about their day:

  • When user’s mobile device screen is turned on and turned off.
  • Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
  • Total daily cellular data usage in bytes (Even when VPN is turned off).
  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected.

As the Wall Street Journal reported last year, Facebook had used that data to track its competition and scope out new product categories.
Onavo Protect has been free for download on Apple’s app store for years, sailing through Apple’s app review board with regularly approved updates. In addition to warning users about malicious sites, it allows them to create a VPN that redirects their internet traffic to one of Facebook’s servers: what it bills as a way to “keep you and your data safe.”
But that process enabled Facebook to collect and analyze users’ activity to find out how people use their phones beyond Facebook’s mobile app. Tech Crunch gave a few examples of how much this might benefit Facebook: the insights enable Facebook to get an early peek into apps that are becoming big hits; enables it to spot apps that are seeing slower user uptake; and gives it feedback on which new features are appealing to users.

The snooping came to light after Apple added a “Protect” button in Facebook’s iOS app that took users to Onavo Protect in the App store.
Somebody familiar with the Onavo situation told the Wall Street Journal that earlier this month Apple told Facebook that the app violated new rules, put forth in June, that limited data collection.
Those new guidelines stipulated that apps that get users’ permission to access contact lists and photos can’t then use the information to build databases or sell it to third parties. The new rules also said that apps need consent when “recording, logging or making a record of a user’s activity” and that advertisements inside apps must allow users to see all the information used to target them.
The person said that Apple told Facebook that Onavo violated a part of its developer agreement that prevents apps from using data in ways that go beyond what’s directly relevant to the app or to provide advertising.
Apple officials reportedly told Facebook last week that Onavo violated the company’s rules on data collection by developers. On Thursday, they suggested that Facebook voluntarily remove the app.
An Apple spokesperson told CNBC that the company’s latest guidelines make it clear that Onavo’s behavior was out of line:

We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.

In June, in hundreds of pages of written responses to questions from Congress, Facebook said that it’s not using Onavo data “for Facebook product uses” or to collect information about individuals. However, it did admit that it uses Onavo to gather information about apps’ popularity and what people do with them – information it uses to improve its own products, without tying it to individual users.
Facebook sent media outlets a statement in which it said that it’s always been upfront about Onavo with users: the Onavo privacy policy makes it clear that users are being tracked, it said.

We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.

Nonetheless, when Apple suggested last week that Facebook yank the app, Facebook agreed, and down it came.


So facebook bakes spyware into a security program and gets a pat on the wrist from the fools that distributed it for them. Nobody will be in court over this as the power of Corporate greed and collusion with corrupt spying agencies has no limits. But if a 18 year old kid did that, in the slammer they would go, a little water boarding, news outlets would make every demeaning comment about his upbringing they could dream of, and life is over. At least it’s being reported on.


I suspect that calling it “spyware” might be a step too far… and it seems Facebook didn’t fight Apple, so there’s a silver lining here. Let’s see what changes Facebook makes to the way the software works when it returns (I assume it will reappear at some point).


It seems Apple is making a compelling case of being the smartphone provider for customers who value their privacy, and I make that conclusion as an Android owner.


So what happens for the people that did install the VPN app now? Usually when an app is pulled, it still stays on people’s phones. Sometimes you get a notification when you try to launch it, but since this one was running in the background would that happen? And now it won’t get any updates and becomes a huge security risk. Also, I’m surprised FB complied so quickly. My guess is not enough people installed it so it’s not worth their while to keep developing the app.


> “So what happens for the people that did install the VPN app now? Usually when an app is pulled, it still stays on people’s phones”
So Apple (not Facebook) will send one final “update” which either deletes the app or makes it into a null stub.


I don’t think the app will automatically be deleted – if nothing else, autodelete leaves the issue of what to do with any data you may have saved with the app. Like Android, iOS apps and data go together in a sort of “authentication sandbox”, and when you delete the app the data with it.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!