This marks the end for one of the biggest teen-spying projects used in Facebook Research app which still is available on Google Play. The social media giant claims it will run only paid user programs from now own. It remains to be seen if they keep their word.
Planting the Evil seed in Holy Ground
Onavo, a Tel Aviv-based mobile analytics company (no word about VPN yet) was sold to Facebook way back in 2013 for an undisclosed amount, estimated to be up to 200M, and became their first office in Israel. Even after the closing of the deal, there were no hints about creating a VPN or some other security solution – all communication was about helping clients reduce mobile data usage, expand the reach of the mobile internet across the globe, and provide a better e-experience.
Yet Onavo Protect happened, for better or for worse (probably for worse). It turned out this app, pretending to be a decent VPN, was a way for Facebook to collect data about all the apps on a user’s phone. This allowed them to know which apps were doing better than others and could be used to gain an advantage over the competitors and to help decide which companies should or shouldn’t be bought.
Sure, the legal department of Facebook made certain this was mentioned at the end of the Terms and Agreements, but few had the patience to scroll down far enough:
Onavo collects your mobile data traffic… Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.
This last sentence beats the whole purpose of Onavo Protect VPN – to provide security and privacy for its user. While Onavo VPN might have killed an occasional pop-up or two, it certainly wasn’t doing the job it undertook. While VPNs encrypt your data so you can have an anonymous connection, Onavo Protect drives your traffic through a Facebook server to learn exactly what, where, when and for how long you’ve been doing.
Spreading the Seed across the Globe
At the beginning of 2018, this Facebook VPN started to show advertising for its iOS users, which was heavily criticized by both experts and users. It was even called spyware, and rightly so. It might be that Facebook decided to run a live test with the data collected about Apple users, checking whether their predictions about who will click on what were correct. Collecting data was, apparently, not enough, and showing ads seemed like the next step, turning users from unwilling donors to unwilling donors/lab bunnies.
When questioned by the US Congress in June, Facebook claimed that data from Onavo VPN isn’t used to profile individual users, only to see which apps are popular among its audience so they could improve their own products.
This is one of the industry’s best-kept secrets – there are low-level spammers and crappy email database sellers, while those with more money use content scraping or even sell “quality” databases for big money. The irony is that this is done by using data gathered by a so-called “security and privacy tool.”
On August 22, Facebook did that. Unfortunately for the less-informed users, those who already have the app installed will be able to continue using it. Those people will likely just have to wait for Apple to launch the next-gen iPhone so that everyone can buy it and say goodbye to the parasite that’s been living inside their smartphones for so long.
Onavo Protect and Google
The rotten fruit has been thrown away from the Apple store, yet there are plenty who still eat it. What about other stores, such as Google Play? Based on the accumulated number from early 2018, there were more than 33 million downloads for Android and iOS. In August 2018, Play Store showed 10M+ which means most of the damage was done to Apple users. It was only a matter of time when Onavo Protect would disappear from Google Play as well.
This again drops the suspicion over Google – is there any chance that Android users were also part of a similar database game? We already know Google has had similar issues with privacy in the past. But selling data to third-parties is less likely to be the case because Google makes money using that data to display its ads in your apps. It doesn’t mean the situation won’t change, but for now they hold the power by holding a monopoly – the majority of people use Google Search, Gmail, etc.
Onavo VPN no longer in the Google Play Store
Up until February 2019, there was not much to be happy about Onavo and the Google Play Store, where half of all reviews (and there are 215K+ of them, rating the app 4.4/5) are positive.
When checking out this app on Android 7.x (Nougat), the reviews looked the same as in the desktop version.
But unfortunately, Android 6.x showed Review Highlights instead. And all of them are positive, which was a big issue as this version of the Android OS was still used by almost 1 out of 4 users worldwide, according to Statcounter.com website.
Play Store presented this parasite as “Protect Free VPN+Data Manager,” which supposedly encrypts data, offers a free VPN (ever heard about free cheese? Then go check the mouse trap!), and informs when your apps have used a certain amount of data.
Although the Onavo company was searching for ways to maximize battery life, latest reviews complained about a decrease in battery life which, if true, makes this alliance between the VPN and the Data Manager a truly unholy one.
On the bright side, the 12th most helpful comment expressed concern way back in May 2018 that this app collected data for Facebook. Unfortunately, this comment was 6th in August. And, speaking of alliances, another comment points out that they cannot use the Data Manager without turning on the VPN (we wonder why?) – they go together like horse and carriage it seems.
At least Google Play informed users about the data Facebook collects straight after the feature list. Unfortunately, it didn’t state that the gathered info can be sold to third-parties as part of a database (a claim that was in Apple’s statement).
The 2nd most helpful comment went up from being 7th last week. The user expressed his disappointment on being referred to this VPN by McAffee. We haven’t heard in a while about McAffee and Facebook’s mutual projects, but in 2010 they were doing business together. So a referral network might be the primary channel of conversion because Onavo’s website and their Facebook account surely aren’t.
Two pages you should not visit
To be honest, when the Home page loaded on our laptops, we thought onavo.com was a web page cloaking scam and spent quite some time checking WHOIS and links to determine if visiting it was safe. Sadly, it all turned out to be true – it’s the official website of this crAPP with a working and no-longer-working link to Google Play and the Apple Store. Web.Archive.Org shows the situation was better in July but in no way was this anything but a landing page – the information is sparse, and you would find more pictures in a dictionary.
Facebook itself certainly also wasn’t calling everybody to Like and Share the Onavo Protect VPN page, and links in the search results for “Protect Free VPN+Data Manager” lead straight to Google Play. And rightly so, because while the website seems to have been designed in the School of Ugly, the Facebook page has been taken care of by the experts of the University of Disgusting. We sincerely hope that at least the latter turns out to be some sort of money laundering scam.
For Facebook, Onavo Protect was like an expansion of its tentacles. They’ve been hoarding loads of data about Facebook users but lacked information about what was happening beyond that. And Onavo VPN helped to overcome this. At the beginning of 2018, some users and media were infuriated that Facebook advertised this software and didn’t mention it belonged to them. Again, if you click “Read more,” you can learn about it, just like you could know what Onavo is all about if you scrolled all the way to the end.
As one commenter pointed out, Apple blaming Facebook over privacy is the same as the pot calling the kettle black. It’s still too early to say if this was a real accusation or just an agreement to demonstrate that things are being done for the sake of our privacy and security.
Anyone who has read at least a bit about VPNs and e-security in general should know that Israel is a partner of the US – a 5 Eyes country with one of the most sophisticated surveillance frameworks on Earth. So even for a true VPN, this is not a good combination. Add Facebook to the mix, and you have a security-related product that’s worse than cheap glasses – not only do you look bad, but your eyes are burning even more than without them. Use them long enough, and the sun may never rise for you again.