It turned out that Facebook's VPN application "Onavo Protect" gathers information even when the function is off, not protecting privacy

VPN application for iOS developed by company acquired by Facebook Onavo "Onavo ProtectSecurity researchers clarify that collecting user information and sending it to Facebook is sending information. Once installed, Onavo Protect gathers information even if the function is turned off, but it is a vicious act of sending it quickly.

Notes on Analytics and Tracking in Onavo Protect for iOS
https://medium.com/@chronic_9612/notes-on-analytics-and-tracking-in-onavo-protect-for-ios-904bdff346c0

New Reason to Never Use Facebook's VPN: It May Be Siphoning Your Data Even When It's Off
https://gizmodo.com/new-reason-to-never-use-facebooks-vpn-it-may-be-siphon-1823587791

Facebook Onavo Protect does not protect against Facebook • The Register
https://www.theregister.co.uk/2018/03/07/facebook_onavo_protect_doesnt_protect_against_facebook/

Onavo, founded as the predecessor Vircado in 2009, was acquired on Facebook for over $ 100 million (about 11 billion yen) in October 2013. Onavo has released VPN application "Onavo Protect" to protect privacy. In addition, Onavo Protect seems to have a reputation that App Store's evaluation is "2.3" in five stages at the time of article creation.

"Onavo Protect - VPN Security" on the App Store
https://itunes.apple.com/jp/app/onavo-protect-vpn-security/id577491499


After that, Facebook added the "Protect" button to the Facebook application for iOS. Some media were criticizing that they were guiding users to the App Store page of the Onavo Protect application.


Will Strafach of Sudo Security Group reported that suspicions about the function of the VPN application that Onavo Protect is not only closely related to the Facebook application but also that it is tracking data , We investigated what type of data we are collecting. As a result, Onavo Protect operates as long as VPN connection is made using iOS SDK's "Packet Tunnel Provider" extension, and it regularly sends data to Facebook (graph.facebook.com) He seems to have found that.

The transmission data discovered by Strafach is as follows.

· The name of the line company that provides the mobile line
· Mobile network code
· Regional languages
· IOS version
· Onavo application version
· Whether the user's mobile terminal screen is ON or OFF
· Daily Wi-Fi network usage (in bytes)
· Daily mobile network usage (in bytes)
"Operating time" indicating the time when the VPN is connected

According to Strafach, Onavo Protect moves data from memory to a log file when there are more than 49 waiting events in memory or more than 2 minutes since the last update after collecting information And that. After that, the log file prepares to upload data to Facebook, and it seems that even when the Onavo Protect application is not running, it regularly sends data to Facebook. In addition, Strafach says that "daily Wi-Fi network usage" and "mobile network usage" are collected even when the VPN function is turned off.

Strafach says, "I do not know what has a relationship between screen ON / OFF and use of VPN.If my understanding is correct, the screen ON / OFF information allows the user to actively use the terminal positively It is also strange that the server can determine the total VPN usage even if it is not connected to a VPN as needed, "he says, and it is clear that what Facebook is going to do We point out. Then I should explain "Why Facebook collects certain data, what to do with it, I can not figure out why ambiguous things can be briefly explained. I hope that we respect privacy, and clarifying my doubts will be very good for Facebook. "