Analysis of Facebook ‘Protect’ VPN code raises more questions

Updated with Facebook comment at the end

Facebook caused a lot of raised eyebrows when it incorporated the Onavo Protect iOS VPN app into its own app in a feature it called Protect.

Facebook billed it as protecting user data, but in practice it does the opposite, allowing Facebook to collect and analyze your data. A new analysis of the Onavo Protect code by security researcher Will Strafach raises more questions …

Strafach found that the app is collecting data even when the VPN is switched off.

I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:

• When user’s mobile device screen is turned on and turned off
• Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
• Total daily cellular data usage in bytes (Even when VPN is turned off)
• Periodic beacon containing an “uptime” to indicate how long the VPN has been connected

Data collected includes cellular carrier name, mobile network code, mobile country code, locale/language and iOS version.

Normally, if you want to find out what data an app is transmitting back to a server, you create a proxy to intercept the traffic – but Strafach notes that is difficult in this case.

Due to the nature of conducting analytics data uploads while the Packet Tunnel Provider is running, it is likely that data uploads will mostly occur inside the Onavo VPN tunnel.

In other words, the data being sent to Facebook is encrypted.

Strafach says his analysis raises a number of questions, including how it uses some of the data (like when your screen is on or off) and whether the data collected is in any way associated with the user’s Facebook account?

As always, our advice is to be wary of any free VPN: these generally make their money by selling the data. The safest course is to opt for a VPN that keeps no user logs.

Update: Facebook told us:

When people download Onavo Protect to help secure their connection, we are clear about the information we collect and how it is used. Like other VPNs, Protect acts as a secure connection including when people are on public Wi-Fi. As part of this process, Onavo receives their mobile data traffic. This helps us improve and operate the Onavo service. Because we’re part of Facebook, we also use this information to improve Facebook products and services. We let people know about this activity and other ways that Onavo uses, analyses, and shares data before they download it. We also regularly review our apps and make updates based on feedback from people.

Photo: Dado Ruvic/Reuters

Check out 9to5Mac on YouTube for more Apple news: