Recent media coverage of Onavo Protect encouraged me to investigate the code for the iOS version of their app. I wanted to determine what types of data is collected in addition to the alleged per-app-MAU tracking performed server-side.
I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
When user’s mobile device screen is turned on and turned off
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
Total daily cellular data usage in bytes (Even when VPN is turned off)
Periodic beacon containing an “uptime” to indicate how long the VPN has been connected
If I’m reading this right, Strafach hasn’t found indications — yet? — that Onavo sends app usage data to
graph.facebook.com, but we know Onavo collects that data.
What he has found so far doesn’t appear to be nearly that intrusive, but it’s also bizarre. For example, why does Facebook need to know when your phone’s display is on?
Tangentially, Onavo’s behaviour is the kind of thing I wish App Review was more strict towards. There’s perhaps a thin line between analytics packages that developers sometimes use and what Onavo does; similarly, there’s a thin line between Onavo’s data collection and Facebook’s entire business model. But this app is just skeevy — it buries its Facebook affiliation1 and data gathering behind a different brand and the promise of protecting you from phishing.