Thursday, February 15, 2018

Facebook’s “Protect” Feature

Adam C. Engst:

However, tapping Protect takes you to the App Store and displays an app called Onavo Protect — VPN Security. It is indeed a VPN — a virtual private network — that securely tunnels all your traffic through Onavo’s servers. The problem is that, as you might expect from the link source, Onavo is owned by Facebook. If you were to stumble on Onavo Protect in the App Store, you’d have to tap More and read the full description to discover that. If you read all the way to the end, you’d learn that Onavo Protect “directs all of your network communications through Onavo’s servers,” and that, “as part of this process, Onavo collects your mobile data traffic.”

Clearly, that menu item in the Facebook app should be labeled “Collect” instead of “Protect.”

Jamie Zawinski:

This lets Facebook “protect” you by intercepting and spying on the traffic of every other app on your phone including your web browser.

Nick Heer:

Even if you ignore potential anticompetitive issues, there’s still a question of whether users of Facebook’s VPN are adequately aware of how the company accessed and uses their data.

Previously: How Facebook Squashes Competition From Startups.

In other Facebook news, Kate Conger (via John Gruber):

Facebook is bleeding users, with external researchers estimating that the social network lost 2.8 million US users under 25 last year. Those losses have prompted Facebook to get more aggressive in its efforts to win users back—and the company has started using security prompts to encourage users to log into their accounts.


The texts are a particularly obnoxious form of spam, and instead of making me want to log into Facebook, they remind me why I’m avoiding it. It’s painful to see my ex’s name popping up on my phone all the time, and while my intern was great at her job, I’m not invested in keeping up with her personal life.


What’s most frustrating is that Facebook has taken a security feature like two-factor authentication—which gives users valuable protection from phishing and account takeovers—and perverted it into a tool for spam.

Update (2018-02-19): Nick Statt (Hacker News):

Facebook this evening clarified the situation around SMS notifications sent using the company’s two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to “send non-security-related SMS notifications to these phone numbers.”

See also: Josh Centers.

Update (2018-02-27): Will Strafach:

I have some questions regarding Facebook’s Onavo Protect VPN app. I don’t have any proper contacts to pass these through, but if anyone I know does, I would be super interested in knowing the answers. because this is weird.

1. why does Onavo Protect track (and send to ) timings for when people’s screens are on/off? what use is this info? (they monitor .springboard.hasBlankedScreen + .SubstantialTransition Darwin notifications)

2. why does Onavo Protect track (and send to ) daily Wi-Fi and cellular data byte usage counts for the device, even for when Onavo VPN is not running?

3. did Apple give Facebook permission to embed analytics data upload code in the Packet Tunnel Provider app extension? (the extension would be running while VPN is connected, so Facebook can perform periodic uploads in the background as much as desired)

Update (2018-03-07): Will Strafach (via Hacker News):

I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook ( as the user goes about their day:

  • When user’s mobile device screen is turned on and turned off
  • Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
  • Total daily cellular data usage in bytes (Even when VPN is turned off)
  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected

Update (2018-09-07): Juli Clover:

Facebook today removed VPN app Onavo Protect from the iOS App Store after Apple decided that it violates App Store data collection policies, reports The Wall Street Journal.

Apple earlier this month told Facebook officials that the Onavo app, which serves as a virtual private network, violates June App Store rules that prevent apps from harvesting data to build advertising profiles or contact databases.

John Gruber:

I’m glad Apple cracked down on this, but it shouldn’t have taken until August.

Bob Burrough:

I’m confused about how Onavo was getting data even when not connected as a VPN tunnel. I’m surprised an iOS app has access to this information at all.

1 Comment RSS · Twitter

Leave a Comment