Planting the Evil seed in Holy Ground
Onavo, a Tel Aviv-based mobile analytics company (no word about VPN yet) was sold to Facebook way back in 2013 for an undisclosed amount, estimated to be up to 200M, and became their first office in Israel. Even after the closing of the deal, there were no hints about creating a VPN or some other security solution – all communication was about helping clients reduce mobile data usage, expand the reach of the mobile internet across the globe, and provide a better e-experience.
Yet Onavo Protect happened, for better or for worse (probably for worse). It turned out this app, pretending to be a decent VPN, was a way for Facebook to collect data about all the apps on a user’s phone. This allowed them to know which apps were doing better than others and could be used to gain an advantage over the competitors and to help decide which companies should or shouldn’t be bought.
Sure, the legal department of Facebook made certain this was mentioned at the end of the Terms and Agreements, but few had the patience to scroll down far enough:
Onavo collects your mobile data traffic… Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.
This last sentence beats the whole purpose of Onavo Protect VPN – to provide security and privacy for its user. While Onavo VPN might have killed an occasional pop-up or two, it certainly wasn’t doing the job it undertook. While VPNs encrypt your data so you can have an anonymous connection, Onavo Protect drives your traffic through a Facebook server to learn exactly what, where, when and for how long you’ve been doing.
Spreading the Seed across the Globe
In the beginning of 2018, this Facebook VPN started to show advertising for its iOS users, which was heavily criticized by both experts and users. It was even called spyware, and rightly so. It might be that Facebook decided to run a live test with the data collected about Apple users, checking whether their predictions about who will click on what were correct. Collecting data was, apparently, not enough, and showing ads seemed like the next step, turning users from unwilling donors to unwilling donors/lab bunnies.
When questioned by the US Congress in June, Facebook claimed that data from Onavo VPN isn’t used to profile individual users, only to see which apps are popular among its audience so they could improve their own products.
This is one of the industry’s best kept secrets – there are low-level spammers and crappy email database sellers, while those with more money use content scraping or even sell “quality” databases for big money. The irony is that this is done by using data gathered by a so-called “security and privacy tool”.
On August 22, Facebook did that. Unfortunately for the less-informed users, those who already have the app installed will be able to continue using it. Those people will likely just have to wait for Apple to launch the next gen iPhone so that everyone can buy it and say goodbye to the parasite that’s been living inside their smartphones for so long.
Onavo Protect and Google
The rotten fruit has been thrown away from the Apple store, yet there are plenty who still eat it. What about other stores, such as Google Play? Based on the accumulated number from early 2018, there were more than 33 million downloads for Android and iOS. At the moment, Play Store shows 10M+ which means most of the damage was done to Apple users. Perhaps we will not see any ads on the Android version and witness the app get thrown out too.
This again drops the suspicion over Google – is there any chance Android users are also part of a similar database game? We already know Google has had similar issues with privacy in the past. But selling data to third-parties is less likely to be the case because Google makes money using that data to display their own ads in your apps. It doesn’t mean the situation won’t change, but for now they hold the power by holding a monopoly – the majority of people use Google Search, Gmail, etc.
Onavo VPN still in the Google Play Store
For now, there’s not much to be happy about in relation to Onavo and the Google Play Store, where 2 out of 4 reviews (and there are 215K+ rating the app 4.4/5) are positive (desktop view).
When checking out this app on Android 7.x (Nougat), the reviews looked the same as in the desktop version.
But unfortunately, Android 6.x show Review Highlights instead. And all of them are positive, which is a big issue as this version of the Android OS is still used by almost 1 out of 4 users worldwide, according to Statcounter.com website.
Play Store presents this parasite as “Protect Free VPN+Data Manager”, which supposedly encrypts data, offers a free VPN (ever heard about free cheese? Then go check the mouse trap!), and informs when your apps have used a certain amount of data.
Although the Onavo company is or has been searching for ways to maximize battery life, recent reviews complain about a decrease in battery life which, if true, makes this alliance between the VPN and the Data Manager a truly unholy one.
On the bright side, the 12th most helpful comment expressed concern way back in May that this app collects data for Facebook. Unfortunately, this comment was 6th last week. And, speaking of alliances, another comment points out that they cannot use the Data Manager without turning on the VPN (We wonder why?) – they go together like horse and carriage it seems.
At least now Google Play informs users about the data Facebook collects straight after the feature list, yet it doesn’t state that the gathered info might be sold to third-parties as part of a database (a claim that was in the Apple’s statement).
The 2nd most helpful comment went up from being 7th last week. The user expresses his disappointment about being referred to this VPN by McAffee. We haven’t heard in a while about McAffee and Facebook’s mutual projects, but in 2010 they were doing business together. So a referral network might the primary channel of conversion because Onavo’s website and their Facebook account surely isn’t.
Two pages you should not visit
To be honest, when the Home page loaded on our laptops, we thought onavo.com was a web page cloaking scam and spent quite some time checking WHOIS and links to determine if visiting it was safe. Sadly, it all turned out to be true – it’s the official website of this crAPP with a working and no-longer-working link to Google Play and the Apple Store. Web.Archive.Org shows the situation was better in July but in no way was this anything but a landing page – the information is sparse and you would find more pictures in a dictionary.
Facebook itself certainly also wasn’t calling everybody to Like and Share the Onavo Protect VPN page, and links in the search results for “Protect Free VPN+Data Manager” lead straight to Google Play. And rightly so, because while the website seems to have been designed in the School of Ugly, the Facebook page has been taken care of by the experts of the University of Disgusting. We sincerely hope that at least the latter turns out to be some sort of money laundering scam.
For Facebook, Onavo Protect is like an expansion of its tentacles. They’ve been hoarding loads of data about Facebook users, but lacked information about what was happening beyond that. And Onavo VPN helped to overcome this. In the beginning of 2018, some users and media were infuriated that Facebook advertised this software and didn’t mention it belonged to them. Again, if you click “Read more”, you can learn about it, just like you could know what Onavo is all about if you scrolled all the way to the end.
As one commenter pointed out, Apple blaming Facebook over privacy is the same as the pot calling the kettle black. It’s still too early to say if this was a real accusation or just an agreement to demonstrate that things are being done for the sake of our privacy and security.
Anyone who has read at least a bit about VPNs and e-security in general should know that Israel is a partner of the US – a 5-eyes country with one of the most sophisticated surveillance frameworks on Earth. So even for a true VPN this is not a good combination. Add Facebook to the mix and you have a security-related product that’s worse than cheap glasses – not only do you look bad, but your eyes are burning even more than without them. Use them long enough, and the sun may never rise for you again.