The app, which was free to download, promoted itself as helping users keep themselves and their data safe when you go online, “blocking potentially harmful websites and securing your personal information.”
What users of Onavo may not have realised was that the app was also being used by Facebook to collect information about other apps installed on a user’s iPhone.
Under Apple developer guidelines, such information is not allowed to be collected by apps for analysis or marketing. However, data collected by Onavo is used to provide valuable market intelligence about marketshare and usage of apps.
In the words of the app’s own store description:
“Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps, and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.”
According to a report in the Wall Street Journal, Apple and Facebook met last week to discuss concerns about the behaviour of the app, where the iPhone maker suggested that it be withdrawn from the App Store. Facebook, seemingly recognising that it would look better to choose to withdraw the app than be kicked out of the store, agreed.
A Facebook spokesperson claimed that the company has been upfront about how Onavo works:
“We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.”
In the past, Facebook chief Mark Zuckerberg and Apple boss Tim Cook have publicly disagreed over their respective companies’ different approaches to user privacy.
Although the Onavo Protect app has now been withdrawn from the App Store, it’s possible that there are still plenty of users still relying on the service. In light of the accusations of data-harvesting, users would be wise to uninstall it from their devices.
Even if you aren’t concerned about the data collection, the app will no longer be receiving updates including, if they were made available, security updates. So the only sensible step is to remove the app and find an alternative VPN service which respects your privacy.
One other thing. Facebook has only pulled its controversial Onavo Protect VPN app from Apple’s app store. It is still available from the Google Play Android marketplace, where it has been downloaded over 10 million times.
Unlike Apple, Google may not be kicking up a stink about Facebook’s Onavo app but that’s not a reason for Android users to be any less concerned. Think carefully about what apps you install on your smartphone, and always consider how app developers might be planning to monetise your private data.