Analysis of Facebook’s Onavo VPN App Reveals Widespread Data Collection

Facebook is now offering some mobile app users a wireless-networking app without first disclosing that it’s owned by Facebook, or that it collects information for the social networking company.

The app, Onavo Protect, provides users with a virtual private network, or VPN. Typically, a VPN cloaks the user’s identity and adds other security features, making it a more secure way to get online, particularly when using public Wi-Fi networks.

Yet the Onavo app also tracks data that it shares with Facebook and others, “including the applications installed on your device, your use of those applications, the websites you visit and the amount of data you use,” according to its own privacy policies.

A new article from Will Strafach on Medium delves into the code of the iOS version of Onavo, investigating the data packages that Facebook’s Onavo Protect app collects and asking why Facebook needs to know when your iPhone screen is on or off.

“I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day,” reads the article.

According to the report, the app collects information such as the times at which you turn your iPhone screen on and off, daily data usage via Wi-Fi (even if the VPN function is off), daily mobile data usage in bytes (even if VPN is off), and for how long the VPN has been connected.

Data collected includes cellular carrier name, mobile network code, mobile country code, locale/language and iOS version.

This level of data collection allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year.

Facebook released the following statement:

When people download Onavo Protect to help secure their connection, we are clear about the information we collect and how it is used. Like other VPNs, Protect acts as a secure connection including when people are on public Wi-Fi. As part of this process, Onavo receives their mobile data traffic. This helps us improve and operate the Onavo service. Because we’re part of Facebook, we also use this information to improve Facebook products and services. We let people know about this activity and other ways that Onavo uses, analyses, and shares data before they download it. We also regularly review our apps and make updates based on feedback from people.