Apple shuts down Facebook's 'Onavo' iOS app and activity snooper

By Rene Ritchie
last updated

Free VPNs aren't "free". You often end up paying for them with the private data many use them to protect in the first place. Facebook is just the latest case in point. Or, at least it was.

From the Wall Street Journal:

Apple's decision widens the schism between the two tech giants over privacy and is a blow to Facebook, which has used data gathered through the app to track rivals and scope out new product categories. The app, called Onavo Protect, has been available free download through Apple's app store for years, with updates regularly approved by Apple's app-review board.Onavo allows users to create a virtual private network that redirects internet traffic to a private server managed by Facebook. The app, which bills itself as a way to "keep you and your data safe," also alerts users when they visit potentially malicious sites. Facebook is able to collect and analyze Onavo users' activity to get a picture of how people use their phones beyond Facebook's apps.

Good on Apple, though pity it wasn't much, much sooner. I don't know if Facebook though it was being clever or was simply being shameless. IOS isn't the platform for undisclosed data snooping.

Update: Here's how Onavo/Facebook itself described the activity:

As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.

Since there's no permission for users to grant or deny — iOS doesn't allow this activity directly so Facebook used the VPN to circumvent the built-in privacy protection — unless you read the fine print, it's unlikely you even knew you were being spied on.

Rene Ritchie
Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

7 Comments
  • This is great and a Big win in my book for our privacy!
  • "Facebook VPN", what an oxymoron!
  • Well, the bigger issue is the P in VPN when Spybook is involved.
  • "Free VPNs aren't "free". You often end up paying for them with the private data many use them to protect in the first place." Nor are VPN's that advertise places with "lifetime subscriptions" for $20. But, I'd be more ok with Apple *NOT* choosing for people, and just saying "You can ONLY have the app if you have a warning telling people that you're sucking all this data to Facebook's servers"
  • Apple doesn't like certain things on their App Store, and it's their App Store so it's up to them whether they allow it or not. In terms of VPNs, I prefer to go down the L2TP route. L2TP is cross-platform, and is setup from the iOS settings, so you can use whatever VPN you like
  • That this steaming pile of santorum was allowed onto the App Store in the first place is tragic enough. I realize not everyone's capable of setting up their own VPS to run a VPN host with an IKEv2/IPsec tunnel configured and hardened via Strongswan, but considering how bad even some (most?) paid VPN providers are these days* Apple really needs stricter guidelines here. *I reckon it'll only get worse. A lot of previously reputable VPN providers are getting bought up by scummy corporations - TunnelBear is owned by McAfee now, IPvanish and Encrypt.me (used to be called Cloak) are owned by Stackpath
  • Good on Apple. Crookbook is NOT to be trusted and I appreciate Apple for their proactive move for doing what they can to keep the riff-raff out of the ecosystem.