Facebook Onavo VPN app collects user data even when it’s off

In February this year, Facebook started pushing its Android and iPhone (iOS) users to install a VPN app called Onavo which the social media giant bought from an Israeli firm in October 2013. The reason Facebook claims it wants users to install Onavo is to provide them protection against threats through an encrypted network, however, the reality is far from the truth.

In reality, Onavo app gives the company even more freedom to analyze the behavior of social network users by analyzing what they access and view online. In the last month report, Onavo was labeled as spyware and now a researcher has identified more serious concerns regarding the app and its use by Facebook.

According to a blog post by an InfoSec researcher Mr. Will Strafach, he analyzed the Onavo code and found that the VPN app is collecting information from users even when the feature is turned off, which is not very clear to the person using the social networking application. Also, the VPN app regularly passes the following data to Facebook:

  • When user’s mobile device screen is turned on and turned off
  • Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
  • Total daily cellular data usage in bytes (Even when VPN is turned off)
  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected

What data the VPN app collects

Furthermore, Strafach’s found that the data collected and sent to Facebook includes device-related information including cellular carrier name, mobile network code locale/language and iOS version. Moreover, from these findings, the researcher puts an important question including

  1. How does Facebook use the “total Wi-Fi data usage” and “total cellular data usage” counts collected every day by Onavo Protect?
  2. How is Facebook using this information, which even includes the time when your screen is on or when it is off? and
  3. Is Facebook using the device ID sent by the VPN app to track browser habits of user’s Facebook account?
Facebook wants you to install a VPN app accused of spying on users
Reviews on the Onavo’s VPN app on Android store

Amid accusation, Facebook has also responded and told 9to5Mac that: When people download Onavo Protect to help secure their connection, we are clear about the information we collect and how it is used. Like other VPNs, Protect acts as a secure connection including when people are on public Wi-Fi. As part of this process, Onavo receives their mobile data traffic.”

Related: Why You Should Use These 5 VPN Services

“This helps us improve and operate the Onavo service. Because we’re part of Facebook, we also use this information to improve Facebook products and services. We let people know about this activity and other ways that Onavo uses, analyses, and shares data before they download it. We also regularly review our apps and make updates based on feedback from people,” the statement said.

However, things are not as simple as Facebook has claimed. A report published by the Wall Street Journal said that Facebook would be using Onavo’s VPN to take advantage of competitors and how it creates a private network that encrypts the user’s browsing traffic on the Internet. During the process, the program redirects the information to Facebook’s servers, which record the actions in its database.

Image credit: DepositPhotos


Carolina works for HackRead as a technical writer. She is a Brazilian traveller who has been to almost every country around the world. She has a keen interest in technology, gadgets and social media.