back to article Facebook Onavo Protect doesn't protect against Facebook

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off. In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, …

  1. TheVogon Silver badge

    "Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks"

    Isnt that what SSL / HTTPS is for?! VPNs are generally for privacy when used to access the internet. Tossers.

    1. Anonymous Coward Silver badge
      Boffin

      VPNs are for accessing private networks remotely. It's only recent privacy concerns and ISP/country filters that have seen an increase in use for general internet access.

      It's entirely within spec to have a VPN with no encryption. Obviously nobody does that, but it shows that VPNs were designed to provide access to something, not exclusively to hide that access from others.

    2. Stoneshop Silver badge
      Big Brother

      VPN

      Isnt that what SSL / HTTPS is for?! VPNs are generally for privacy when used to access the internet. Tossers.

      HTTPS and SSL encrypt the traffic in your session with that particular site, but stuff like DNS lookups go out in the clear so everyone can see that you're visiting www.rule34.com. And with a bit of trickery the inattentive user might actually be visiting www.nottherealrule34.com instead.

      VPNs establish an encrypted tunnel to what should be a trusted endpoint, from which your traffic goes to whatever sites you fancy.and no-one looking at the traffic between you and that endpoint should be able to determine what you're up to. That endpoint, however, is basically representing you, and you have to trust it's dealing with the information it can gather (connection logs, DNS lookups etcetera) in a way that you approve of.

      Facebook is not on my list of entities I trust. In any way.

    3. katrinab Silver badge

      "Isnt that what SSL / HTTPS is for?!"

      https can't be trusted on an untrusted wireless network.

      Here's what could happen.

      Someone sets up an open wifi hotspot - anyone can do that, it requires no special skills

      They give it the name of a popular public wifi provider, maybe O2 Wifi for example - again anyone can do that, it is no more difficult than giving it any other name

      Change the DNS settings on the network to point for example natwest.com at a different server - this isn't too difficult, if you know how to administer DNS servers, you should be able to do this

      Obtain a SSL certificate for natwest.com and install it on your server. You shouldn't be able to do this, but it happens far too often. The only difficulty here is finding the supplier that will do it before everyone else does.

      1. Adam 1 Silver badge

        if

        Setup fake hotspot with believable name. Check (although you forgot the de-auth packet flood to disconnect everyone on those other APs).

        Poison the responses from DNS. Check

        Obtain a SSL certificate for natwest.com

        Yeah, no. Obtaining a fake certificate isn't completely impossible because CAs have and probably will in the future make mistakes. Some guy ended up with a github certificate a few months back due to a CA stuff up. But CAs have been distrusted for giving out fakes (Google diginotar). We have also seen the likes of Lenovo and Dell installing themselves as certificate authorities, and I believe in the Dell case this could have been used to sign a fake server.

        Far more likely is someone registering natvvest.com and getting a legitimate certificate for that domain. Of course it natwest used* HSTS then the redirect page wouldn't be trusted by your browser. (A 302 is needed because the browser is expecting a certificate owned by natwest.com not natvvest.com. If the original request is http, it can be intercepted and responded to redirect your browser to the new domain)

        The actual problem with https is that an observer can correlate who you are talking to and the response size and infer what you are doing. The Facebook image on this article is 13282 bytes. How many other el reg resources are exactly that size?

        Tl;dr - https doesn't give you perfect security, but it is inarguably better than http.

        *They may well. I didn't check.

  2. fidodogbreath Silver badge
    Holmes

    Mystery solved

    ...Onavo "helps keep you and your data safe when you go online, by blocking potentially harmful websites..."

    Facebook is known to be harmful. Onavo only blocks sites that are potentially harmful.

    1. Chris King Silver badge

      Re: Mystery solved

      Try sharing a link to FB Purity and this pops up...

      This Post Can't Be Edited

      Posts that look like spam according to our Community Guidelines are blocked on Facebook and can't be edited.

      Yes sir, Facebook has some interesting definitions of "harmful" and "spam"...

  3. Anonymous Coward
    Anonymous Coward

    Not sure why people trust american vpn providers. i vpn using open source vpn software to my own private remote server in another country, its the only vpn i trust.

    Edit: Or any american company on personal data issues.

    1. fidodogbreath Silver badge

      Not sure why people trust american 14 Eyes vpn providers

      FTFY

  4. JassMan Silver badge

    The clue is in the Ts&Cs

    ... data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers."

    Obviously from the fact that to app continues to gather info while it is "turned off", it is collecting data about which other apps map be on your phone which use VPN services. Presumably, they are using this info to decide which other companies it may be worth slurping up. Alternatively they may use it to decide which areas it may be worth writing competing software for.

  5. Bob Dole (tm)
    Mushroom

    It’s simple

    The data they were collecting was minimal because they wanted to find out if people were going to go ballistic over it. Now that the story is out, just wait a few weeks. That app will start sending far more intrusive information.

    1. Gotno iShit Wantno iShit

      Re: It’s simple

      I think faecbook just can't help themselves, they have to collect data even if they don't yet know what to do with it. Collect anything. Collect everything.

  6. Anonymous Coward
    Anonymous Coward

    Beware of Greeks

    bearing VPNs.

  7. Aristotles slow and dimwitted horse Silver badge

    Why would anybody who wants to use a VPN use this?

    I just don't get it. I guess it's free? But in VPN an security terms that should be an alarm bell from the outset.

    I use an AirVPN config via the OpenVPN client on my iPhone. I prefer it that way.

  8. Roj Blake Silver badge

    "Strafach, in an email to The Register, said it's not clear what Facebook is doing."

    Oh, I think it's crystal clear what they're doing.

    1. Robert Helpmann?? Silver badge
      Mushroom

      Re: "Strafach, in an email to The Register, said it's not clear what Facebook is doing."

      Let me spell it out by addressing Strafach's comments.

      "They can easily clear things up by explaining more precisely why they collect certain data..."

      - Because they are douchebags.

      "...and what they do with it..."

      - Whatever douchebags do with your data.

      "...so I don’t understand why they are so vague about it..."

      - Because douchebaggery!

      "I do hope they are being respectful of user privacy..."

      - You can hope in one hand, sir...

      "... and it would be very nice if they clarified that I think."

      - But they make more money being complete and total douchebags.

      There is only one answer when the product does something other than what the author tells you it will by design. If you are being lied to, either through weasel words in a contract, through misdirection or omission as to how something works, or any other way for that matter, then you are dealing with a douchebag. Take appropriate and immediate action (see icon if this is not clear enough to work with).

  9. iron Silver badge

    "I do hope they are being respectful of user privacy..."

    Hahahahaha BONK!

    Sorry laughed my head off, give me a moment to screw it back on.

  10. CrazyOldCatMan Silver badge

    "develop new and innovative services for"

    "making more money for Facebook by selling even more data about you to anyone with a couple of quid/bucks/munnies"

    User security? Data security? Yes - we keep our users data safe. Where safe == "we'll sell it to anyone who asks without enquiring too much what they want it for".

  11. Frank Bitterlich
    Facepalm

    Who on earth...

    ... would, when looking to protect their data, turn to Facebook by any means?

    /shakes head in disbelief...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019