Facebook’s VPN Onavo is collecting User Data even when the app is closed !

Facebook’s VPN Onavo is collecting User Data even when the app is closed !

Facebook has launched its own Mobile VPN application called Onavo, the purpose of which is to protect the personal information of the users over public networks. However the application actually collects user data even when the application is disabled by the user.

Will Strafach, CEO of the Sudo Security Group, wrote his findings of the data obtained by Onavo. The app uses a Packet Tunnel Provider app extension as part of Apple’s iOS SDK to handle the VPN’s network traffic routing.

Facebook started pushing its Android and iPhone (iOS) users to install a VPN app called Onavo which the social media giant bought from an Israeli firm in October 2013. The reason Facebook claims it wants users to install Onavo is to provide them protection against threats through an encrypted network, the reality is far from the truth.

In reality, Onavo app gives the company even more freedom to analyze the behavior of social network users by analyzing what they access and view online. In the last month report, Onavo was labeled as spyware and now a researcher has identified more serious concerns regarding the app and its use by Facebook.

According to a blog post by an InfoSec researcher Mr. Will Strafach, he analyzed the Onavo code and found that the VPN app is collecting information from users even when the feature is turned off, which is not very clear to the person using the social networking application. Also, the VPN app regularly passes the following data to Facebook:

->When the Mobile Data is turned on and off
Daily WiFi usage (even when the application is turned off)
Daily Cellular data usage (even when the application is turned off)
Amount of VPN time used
Location Data
Log File of user

However, things are not as simple as Facebook has claimed. A report published by the Wall Street Journal said that Facebook would be using Onavo’s VPN to take advantage of competitors and how it creates a private network that encrypts the user’s browsing traffic on the Internet. During the process, the program redirects the information to Facebook’s servers, which record the actions in its database.