
Facebook to Remove Onavo App from Apple Store - mudil
https://www.wsj.com/articles/facebook-to-remove-data-security-app-from-apple-store-1534975340
======
seibelj
I know exactly how this software works because I have analyzed it deeply.
Every packet that goes through the Onavo VPN is analyzed. Using API's
available to a normal sandboxed app, the source port is mapped with the
process ID, then mapped to the package identifier, and then Facebook knows how
much data is being used by which apps. Until SSL was mandatory for apps, they
could also analyze the data itself, but that was stopped a couple years ago on
iOS.

Once Facebook has all the packets, they can do various analyses and machine
learning to even learn which features are most popular within a competitor's
app. It is quite sophisticated.

~~~
floatingatoll
Does it have logic to inhibit packet analysis when being tested by Apple App
Store reviewers?

~~~
gumby
You're thinking of Volkswagon's VPN app.

~~~
verelo
Haha, it’s rare on HN that someone gets a joke right. Well done!

Edit: it was worth the downvotes, would do again.

------
happybuy
This is malware and should have been rejected from the App Store months (if
not years ago). Better late than never.

I'm sure if it was a smaller company doing a similar thing they wouldn't have
been given such leeway as Facebook was for so long.

~~~
lazzlazzlazz
I understand people say things like this because they're the edgy, hot take -
but the Onavo VPN software is absolutely not malware. It's a performant, free
VPN that people use in exchange for some anonymized data. There have been no
known leaks or breaches.

~~~
mirimir
From Apple's App Store Review Guidelines:[0]

> 2.5.14 Apps must request explicit user consent and provide a clear visual
> indication when recording, logging, or otherwise making a record of user
> activity. This includes any use of the device camera, microphone, or other
> user inputs.

So did Onavo "provide a clear visual indication" whenever collecting data?
Somehow I doubt that, because it would have been a constant warning.

0) [https://developer.apple.com/app-
store/review/guidelines/](https://developer.apple.com/app-
store/review/guidelines/)

~~~
eric_h
There is a constantly visible indicator that you're using a vpn on everything
but the iPhone X. It's a stretch admittedly, but there's an argument to be
made.

~~~
AznHisoka
That is definitey not an argument.

------
aylmao
I really hope Apple pulls through with a thorough research of other free VPN
apps on the App Store and cracks down on other sketchy ones too. I doubt that
Onavo users will be inclined to pay for a VPN, and I suspect they instead will
look for other free alternatives.

Onavo didn't have to make money because it was owned by Facebook and it was
known to collect data for its parent company's market research. Much less is
known about how other VPN apps remain sustainable-- I wouldn't doubt some
might be running on sketchy business models.

------
djrogers
> Facebook Inc. pulled its data-security app

Calling this a ‘data security app’ is like calling a Snickers bar a diet meal
replacement.

This app literally gives facebook the ability to track every app you runs and
every website you visit, for how long, when, and what network you do it from.

It is literally the kind of data collection that people use VPNs to avoid!

~~~
eric_h
> It is literally the kind of data collection that people use VPNs to avoid!

I have a feeling that a majority of VPN app users use them with the intent of
preventing a specific party from collecting that data (e.g. an employer or a
government).

~~~
inlined
There's also a lot of people who use VPNs to keep their browsing private while
they're on a broadly accessible wifi

~~~
SmellyGeekBoy
I get why people would use a VPN to thwart censorship but I never really
understood this line of reasoning. It seems that instead of giving a few
minutes' browsing history to an unknown wireless provider, users are giving
their _entire_ history to an unknown VPN provider. Am I missing something?

~~~
d0lph
Many VPN providers claim to not keep logs, and have varying levels of
trustability.

------
paulpauper
Censorship and privacy concerns have ironically created a market for malware-
laden and snooping VPNs to prey on unsuspecting users. the cure is worse than
the disease

~~~
908087
This isn't what I'd call "the cure", though. This is the "privacy" equivalent
of those bullshit cancer "cures" that prey on poorly informed or desperate
people.

------
etaioinshrdlu
Related: Sensor Tower puts out several free VPN products and sells the
analytics observed.

------
lazerwalker
I feel really conflicted about this.

On the one hand, there's a clear value proposition here: instead of paying a
few bucks a month for a VPN, you can instead pay by giving a giant megacompany
your private data.

The problem is we as a culture don't have a good consent model for educating
people about what this actually means. In a world where everyone who used
Onavo knew exactly what data Facebook was getting from them, and what that
meant, what number of users would willingly use it?

Calling it "malware" or "spyware" doesn't feel accurate, since they're not
outright lying about what the value prop is, but they're still being deceitful
by omission and are preying on people's ignorance.

~~~
SmellyGeekBoy
A lot of the bundled type of spyware I've seen relies on users clicking "I
Agree" on an EULA. The problem is nobody reads the EULA, they just want
whatever software it's attached to as quickly as possible.

I suppose my point being that just because users "agreed" to something doesn't
necessarily mean they knew what they were agreeing to at the time.

------
neurotech1
non-paywall: [http://archive.is/dA1vk](http://archive.is/dA1vk)

~~~
politician
"Error 1001 DNS resolution error

What happened? You've requested a page on a website (archive.is) that is on
the Cloudflare network. Cloudflare is currently unable to resolve your
requested domain (archive.is)."

Domain blocked?

~~~
toomuchtodo
Archive.is blocks DNS lookups from Cloudflare’s public resolver.

Edit: No idea why, just sharing context I have.

~~~
voltagex_
...why?

~~~
williamscales
I just googled and found plenty of threads stretching back months. It seems to
have to do with Archive.is returning wrong IP addresses to Cloudflare's DNS
queries. They are apparently telling folks to use Google DNS but the
configuration of which IP address to return is entirely in their hands. I'm
still quite confused by the situation, to be honest.

------
bhouston
Do all VPN companies sell their traffic to others? I think that is now
probably assumed to be the case.

~~~
mirimir
Many ISPs and telecom providers certainly do. Some were even selling
geolocation data. So arguably you must use VPNs and/or Tor for privacy.

~~~
Rjevski
> Many ISPs and telecom providers certainly do

Do you have a list of them or source for this claim? (not that I'm disagreeing
with you, but just want to see the full extent of the problem)

~~~
mirimir
We know that AT&T, Sprint and Verizon sold location data to numerous corporate
entities. But T-Mobile has claimed that it didn't.

"Verizon and AT&T will stop selling your phone’s location to data brokers"
<[https://arstechnica.com/tech-policy/2018/06/verizon-and-
att-...](https://arstechnica.com/tech-policy/2018/06/verizon-and-att-will-
stop-selling-your-phones-location-to-data-brokers/>)

"Verizon and others call a conditional halt on sharing location with data
brokers" <[https://techcrunch.com/2018/06/19/verizon-stops-selling-
cust...](https://techcrunch.com/2018/06/19/verizon-stops-selling-customer-
location-to-two-data-brokers-after-one-is-caught-leaking-it/>)

It's well known now that ISPs can monetize and sell customer data. For
example, see [https://www.usatoday.com/story/tech/news/2017/04/04/isps-
can...](https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-
collect-and-sell-your-data-what-know-internet-privacy/100015356/)

------
sigjuice
Why are there a million VPN apps and protocols with pointless variations? Why
isn’t the VPN software included in my operating system enough? e.g.
Settings/General/VPN on iOS. macOS and Windows have something similar.

EDIT: This was an honest question. If anyone has any insights to share, I
would really appreciate it. Over the years, I have dealt with some truly
questionable third-party VPN software from the usual big name networking
equipment vendors and plenty of other so called “security” vendors.

~~~
r3bl
Because VPN is a service, not a piece of software.

You're paying third parties for the service, and those third parties use the
money to maintain the infrastructure powerful enough for each user to have
high speed VPN service (nobody's gonna use a VPN that throttles the speed by
90%) across different geographical regions.

 _If_ Microsoft and Apple wanted to offer a VPN as a first-party service out
of the box, they would be forced to maintain a pretty complex infrastructure
across multiple regions _and_ somehow be able to support way more traffic than
any third party VPN provider (because of their name). So, where's the money
for the infrastructure going to come from?

In Facebook's case, form mining the data. I would argue that Apple isn't
stupid enough to attempt something like that, and as for Google, they already
do have a first-party VPN integrated into Android[0].

I would argue that the reason that third-party VPNs are shady is _because_
they need a large infrastructure in place before they can offer the service.
Once they do have the infrastructure in place, they're not making profit, but
covering their losses, while at the same time being forced to scale even
further.

[0] On Nexus/Pixel devices from certain regions that activates automatically
when connected to an insecure WiFi: [https://www.howtogeek.com/275474/how-to-
use-androids-wi-fi-a...](https://www.howtogeek.com/275474/how-to-use-androids-
wi-fi-assistant-to-keep-your-phone-safe-on-public-networks/)

~~~
sigjuice
You are confusing service with software. All major operating systems have
built-in VPN support. Check the network settings on your phone or computer.
There will be a section for VPN settings.

------
_bxg1
Non-paywall coverage on The Verge:
[https://www.theverge.com/2018/8/22/17771298/facebook-
onavo-p...](https://www.theverge.com/2018/8/22/17771298/facebook-onavo-
protect-apple-app-store-pulled-privacy-concerns)

"Onavo, which began as an Israeli analytics startup focused on helping users
monitor their data usage, was acquired by Facebook in 2013. Its VPN provider
then became a data collection tool for Facebook to monitor smartphone users’
behavior outside its core apps, helping inform Facebook’s live video strategy,
competition from other social apps, and its decision to acquire companies
including WhatsApp."

Geez, man. That is _evil_. Especially since most users don't know the
difference between "security" and "privacy", and probably assume that it would
have the exact _opposite_ effect.

~~~
cjhopman
Oh please. The description in the app stores is pretty clear about this
behavior
([https://play.google.com/store/apps/details?id=com.onavo.spac...](https://play.google.com/store/apps/details?id=com.onavo.spaceship)):

"As part of providing these features, Onavo may collect your mobile data
traffic. This helps us improve and operate the Onavo service by analyzing your
use of websites, apps and data. Because we're part of Facebook, we also use
this info to improve Facebook products and services, gain insights into the
products and services people value, and build better experiences."

Running a VPN isn't particularly cheap. I'd assume that any free VPN is one
of:

    
    
      1. criminals collecting and monetizing your information
      2. state actors collecting and ?????????? your information
      3. companies collecting and monetizing your information
      4. too small to need to do one of (1)-(3)

------
IBM
The next step is to ban third party frameworks in apps for "analytics" or
serving ads. That should be something intermediated and provided by Apple
itself.

[https://developer.apple.com/documentation/storekit/skadnetwo...](https://developer.apple.com/documentation/storekit/skadnetwork)

~~~
kyle-rb
Yeah, Apple needs a monopoly on serving ads too.

~~~
scarface74
After the iAd fiasco, I don’t think Apple wants to go anywhere near in app
ads.

------
hegz
Why post a paywall link?

~~~
logicallee
This might be kind of ironic (you'll see what I mean) but to get to full
wsj.com articles just put the word "full" before wsj, keeping the rest of the
URL the same.

For this article that means go to

[https://www.fullwsj.com/articles/facebook-to-remove-data-
sec...](https://www.fullwsj.com/articles/facebook-to-remove-data-security-app-
from-apple-store-1534975340)

(I just copied and pasted our post link then added "full" before wsj.com)

