Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Do Not Use Facebook’s New Security Feature, Seriously

Do Not Use Facebook’s New Security Feature, Seriously

facebook vpn.png

Four years ago, Facebook acquired a little-known Israeli startup named Onavo.  Onavo focused on mobile data compression building a platform that allows mobile users to use less mobile data, an attractive feature in areas where mobile data is limited or expensive.

At the time, this acquisition made sense since unlimited data plans in the US were a thing of the past and social media consumption comprised a large amount of mobile data bandwidth.  Onavo would be the perfect solution to address user complains that the Facebook App and Facebook Messenger are consuming too much mobile data.

Facebook chose to use the Onavo platform to embed a VPN client that can be integrated into the Facebook App.  Encrypted VPNs have many benefits such as ensuring data is not intercepted or modified on open WiFi connections, circumventing censorship controls (such as the Great Firewall of China), and warn users of malicious websites.

As Spiderman’s Uncle Ben famously opined, “With great power comes great responsibility.”  With the new Facebook Protect feature, Facebook has demonstrated that they are not using this capability responsibly.  When a user enables the Facebook Protect feature, the App takes the user to their smartphone’s App store to download the Onavo App/client.  Facebook does not immediately disclose that it owns Onavo and publishes the app under Onavo, Inc.

onavo vpn.png


Buried in the description of the app it states and Onavo is “a part of Facebook,” and that it’s used to “improve Facebook products and services, gain insights into the products and service people value, and build better experiences.”

The privacy issue with this is that the VPN connection is used for more than just Facebook traffic.  When the VPN is enabled, all traffic leaving the smartphone will be sent to servers controlled by Facebook which can be used to mine data and be sold to advertisers.  For example, a user of an app used to track pregnancy could have their data sold to advertising companies targeting pregnant women.

This massive data collection is not limited to targeted ads as the data collected could be used to track up-and-coming mobile apps that haven’t broken out yet (potential takeover target or to integrate those features in Facebook) or track a decline in usage for existing apps.  

On a recent earnings call, Facebook announced that a feature they added that was very similar to Snapchat’s story feature, led to a decline in daily active users (DAU) in Snapchat even before Snapchat disclosed the loss of DAUs during their earnings call.  Collecting this data gives Facebook a huge competitive advantage because they can implement features of a rival platform before that rival company has a chance to break out.

There is a reason Facebook can offer their Facebook app, Instagram, and WhatsApp for free.  They collect the data from these apps and sell it to advertisers and third parties.  Using a VPN to send all mobile data traffic to Facebook further increases the amount of data that can be collected and sold.  With so many other free or low cost and reputable VPN providers, there is absolutely no reason to use Facebook Protect / Onavo.  Windscribe and SurfEasy both have free offerings for mobile VPNs.  (SurfEasy was bought by Symantec last year).  Tunnelbear completed the first consumer VPN public security audit and was rated as very secure and they have a focus on user privacy.

The Zscaler App also allows traffic to be tunneled from a phone to the nearest Zscaler Enforcement Node to offer similar and better security protections to a traditional VPN service.

Further reading:

Egg, Meet Face: Intel forced to Roll Back Meltdown and Spectre Fixes

Egg, Meet Face: Intel forced to Roll Back Meltdown and Spectre Fixes

Tinder's Lack of HTTPS Allows Strangers to Spy On Your Swipes

Tinder's Lack of HTTPS Allows Strangers to Spy On Your Swipes