Notes on Analytics and Tracking in Onavo Protect for iOS

Recent media coverage of Onavo Protect encouraged me to investigate the code for the iOS version of their app. I wanted to determine what types of data is collected in addition to the alleged per-app-MAU tracking performed server-side.

I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:

• When user’s mobile device screen is turned on and turned off
• Total daily Wi-Fi data usage in bytes (Even when VPN is turned off)
• Total daily cellular data usage in bytes (Even when VPN is turned off)
• Periodic beacon containing an “uptime” to indicate how long the VPN has been connected

Background

Onavo Protect is a Facebook-owned VPN app for mobile devices, available free of charge in the App Store. Onavo was criticized earlier this month due to promotion of Onavo Protect within the Facebook app for iOS. The Facebook app had recently added a “Protect” button, forwarding users to Onavo Protect in the App Store.

• Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service (Gizmodo)
• Facebook is suggesting mobile users ‘Protect’ themselves…by downloading a Facebook-owned app that tracks their mobile usage (CNBC)
• Don’t trust the VPN Facebook wants you to use (WIRED)

Pre-Acquisition History

• Founded in late 2009 as Vircado
• Throughout 2010, remained in “stealth mode” or “closed alpha”
• In early 2011, name changed to Onavo, shifted to“private beta”
• In April 2011, Onavo launches initial iOS app, positioned as a data-saving tool and available at no cost with plans for paid subscriptions as a later revenue model (“We will not sell the data or introduce ads to Onavo”)
• In late 2012, initial citations attributable to “Onavo Insights” appear in the press, regarding app download and usage statistics
• In early 2013, Onavo Insights is publicly launched, enabling subscribers to find out market share, usage data, and Monthly Active Users for different iOS apps (This data is most certainly derived from analysis of Onavo user network traffic)
• In summer of 2013, Onavo Acquisition Insights is publicly launched, enabling subscribers to attribute app downloads to specific methods of adveritsing (This data is also most certainly derived from analysis of Onavo user network traffic)
• In October 2013, Onavo is purchased by Facebook for an undisclosed sum, estimated to be between $100 million and $200 million

Details

The Onavo Protect app downloads a Mobile Configuration file containing VPN settings to use, with server location most likely based on the country name sent in Onavo’s POST request to the https://graph.onavo.com/register_device API endpoint.

Onavo Protect uses a Packet Tunnel Provider app extension to perform additional functions while the VPN is running.

Data Collection

Onavo Protect collects device information, network related analytics, and “fact of” certain events occuring. Types of data collected include the following:

• Onavo Protect sends device-related information when initially connecting to the Onavo VPN, such as cellular carrier name, mobile network code, mobile country code, locale/language, iOS version, and Onavo app version
• Onavo Protect tracks when the mobile device screen is on/off, likely only while connected to Onavo Protect (Listens for “com.apple.springboard.hasBlankedScreen” and “com.apple.mobile.SubstantialTransition” Darwin events)
• Onavo Protect tracks daily data usage counts for Wi-Fi and cellular using system APIs, potentially including user data usage when not connected to the Onavo Protect VPN, due to the nature of the API (The code is very similar to iOS data usage tracking code found on Stack Overflow)
• Onavo Protect performs timing measurements of Packet Tunnel Provider perfomance, determining how long “bringup” takes from initialization to successful VPN connection
• Onavo Protect sends test DNS request latency measurements for tunneled versus non-tunneled traffic
• Onavo Protect sends a “beacon” event containing uptime in epoch format

Data Uploads to Facebook

Onavo Protect will flush collected analytics information to log files from memory if there are greater than 49 “events” waiting in RAM or if it has been more than 2 minutes since the last flush.

The log files are then prepared for upload in a network request to Facebook. Analytics data is sent in a POST request to https://graph.facebook.com/v2.3/logging_client_events from the Packet Tunnel Provider process (The Packet Tunnel Provider process would be running at any time the VPN connection for Onavo is switched on, enabling periodic analytics data uploads to Facebook even if the Onavo Protect app is not open).

Attempts to observe analytics data uploads through traditional analysis methods, such as an intercepting proxy, may prove to be difficult. Due to the nature of conducting analytics data uploads while the Packet Tunnel Provider is running, it is likely that data uploads will mostly occur inside the Onavo VPN tunnel.

Further Questions

1. How does Facebook use the “screen is on” and “screen is off” tracking data obtained by Onavo Protect?
2. How does Facebook use the “total Wi-Fi data usage” and “total cellular data usage” counts collected every day by Onavo Protect?
3. Does Facebook use the Device ID that Onavo Protect sends to graph.facebook.com in any way to associate the user’s Onavo Protect network traffic / browsing habits with their Facebook account?