Connect with us


Apple Stops Facebook from Spying

Apple Stops Facebook from Spying
Apple Stops Facebook from Spying. Technically, Facebook knows everything. It’s not just as official as them having hard data about what other apps you use on your mobile phone. If say, you use Snapchat, Line or WhatsApp, and keep Facebook as a legacy thing for your older friends, Facebook will know your activities if you also made the mistake of downloading their Onavo Protect VPN app.

Yes, the Onavo VPN app is owned by Facebook. VPNs are supposed to keep one’s activities hidden from prying eyes but if you got you’re VPN from Facebook, you probably have it coming. Well, Apple has put a stop on this activity and will keep more iOS users from falling victim, but Android users are still open.

Why download Onavo in the first place? The premise of the app is to offer a secure VPN service for mobile internet users. As per the Onavo website, Onavo Protect keeps users safe by blocking potentially harmful websites from acquiring personal information.

The app also monitors how much mobile data is used by other mobile apps to protect users from overconsumption, which is a very bad thing especially when international roaming. The problem is, that to in order to count how much data is being consumed by other apps, the data is actually collected, by Facebook who has owned the Israeli startup Onavo since 2013.

Apple Stops Facebook from Spying

What Onavo does:

  • Add an extra layer of security
  • Secure personal information while on public Wi-Fi
  • Provide a fast, free and secure VPN
  • Alerts when apps use too much data
  • Blocks apps from using data in the background
  • Limits apps to use Wi-Fi only
  • Notifies user when an app reaches a certain amount of data

Onavo Protect officially collects measures:

  • Mobile network name
  • Mobile network code
  • Mobile country code
  • Locale/language
  • iOS version
  • Onavo app version.
  • Also when the mobile device screen is on/off
  • Tracks daily data usage on Wi-Fi and mobile data
  • DNS request to measure latency.

Onavo is apparently open to saying that they will be collecting mobile data traffic in order to perform its tasks as stated in the Google Play Store app description. But, much like EULAs, many users pretty much ignore these notices and/or messages that apps will be needing access to a bunch of things from their phones including private pics from their photo gallery.

Onavo App description on Google Play:

As part of providing these features, Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value and build better experiences.

The previous statement sounds somewhat changed that it now justifies Facebook’s data collection as well as its ownership. This data collection however has led to the acquisition of WhatsApp, apparently because it’s so popular and that Onavo now bombards users with targeted advertising.

But the whole thing doesn’t sit well with Apple’s new policies which went in effect last June and the company told Facebook to voluntarily remove Onavo from the App Store.

We work hard to protect user privacy and data security throughout the Apple Ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing…


Onavo iOS users who don’t mind the data collection can still use their existing apps and continue to download them when upgrading or changing devices, however, they can’t expect any more updates.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


UK Fines Facebook over Cambridge Analytica Scandal


UK Fines Facebook over Cambridge Analytica Scandal. The UK has hit Facebook a fine of $645,000 for the Cambridge Analytica Scandal. It was revealed earlier this year that they had harvested the personal data of millions of profiles without the user’s consent and used it for political purposes. It is estimated that 87 million users were affected.


The fine has been enforced by the UK’s Information Commissioner’s Office (ICO) and was calculated using a pre-GDPR formula for data breach fines. Using the UK’s old Data Protection Act to fine Facebook, rather than GDPR they can only give a maximum penalty of £500,000, which is equal to what the social media giant earns every 18 minutes.


GDPR rules dictate a maximum fine of 4% of annual global turnover, which would be $1.6 billion. Unfortunately the the GDPR regulation wasn’t in place when the Cambridge Analytica story broke, coming into force in May 2018.


The UK investigation concluded that Facebook’s APIs had been allowing developers access to users information without them providing proper consent, for a long period of time between 2007 and 2014. Once they realized this loophole existed and patched it up, they did nothing to investigate the data compromised or ensure it was deleted.


[FACEBOOK] should have known better and it should have done better… We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR

Information Commissioner Elizabeth Denham said in a statement


Facebook has said they are reviewing the ICO’s findings and stated they “respectfully disagree” with some of the report, but admit they should have done more to protect users data. They also added that they found no evidence that British users profile information was shared with Cambridge Analytica.

Continue Reading


Libssh Security Flaw leaves thousands of servers vulnerable to hijacking

Libssh Security Flaw leaves thousands of servers vulnerable to hijacking

Libssh Security Flaw leaves thousands of servers vulnerable to hijacking. A security flaw in libssh leaves thousands, and potentially more, servers vulnerable to an attack. Libssh is a multiplatform C library which allows users to remotely execute programs, transfer files, manage public keys and use a secure and transparent tunnel.


The security flaw, discovered by Peter Winter-Smith from NCC Group, allows a hacker to bypass the authentication process on the servers and gain access to the system without having to enter a password.


An attacker can do this by sending the SSH server “SSH2_MSG_USERAUTH_SUCCESS” message instead of the “SSH2_MSG_USERAUTH_REQUEST” message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.


The libssh system will treat this message to mean the authentication has already taken place and allow the attacker access to the server. The flaw (CVE-2018-10933) was released in January 2014 in release 0.6.0.


It’s estimated that the vulnerability currently affects at least 3000 servers, however this is based on a small search and the scale of the problem is not yet known. There were concerns that the popular version control site for developers to work collaboratively on projects, GitHub, was affected but they have released a statement denying this. Github claims the way they use libssh means they are not vulnerable to this exploit.


“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with the libssh server is not relied upon for pubkey-based auth, which is what we use the library for,”

a GitHub security official said on twitter


The security flaw is only on the server side, meaning users who have a libssh based SSH client installed on their computer will be safe from potential attackers looking to exploit this vulnerability.


While there are currently no public exploits available for the vulnerability, they are easy to put together so these are likely to pop up online in the coming days and weeks.

The team at libssh released versions 0.8.4 and 0.7.6 yesterday to handle this bug.


Continue Reading


Ad Clicker Disguised as a Google Photos App has been Hosted on Microsoft Store.

Ad Clicker Disguised as a Google Photos App has been Hosted on Microsoft Store

Ad Clicker Disguised as a Google Photos App has been Hosted on Microsoft Store.


A malicious app called “Album by Google Photos” was found to be hosted on the Microsoft store. The app was pretending to be part of Google Photos, but was in fact an ad clicker that generates hidden adverts within the Windows 10 Operating System.


The ad clicker app seemed credible to users because of its name, and also the fact it claimed to be created by Google LLC, Google’s actual Microsoft store account is Google Inc, but it looks unsuspecting to users. Microsoft came under some criticism for not realising the app was actually malicious software since the user reviews did highlight that the app was fake, with plenty of 1* reviews. One review states “ My paid Anti-malware solution detected several attempts to download malware by this app. Watch out”. The App was first released on the Microsoft store in May.


What did the application do?


The “Album by Google Photos” app is a Progressive Web Application (PWA), which acts as the front end for Google Photos and includes a legitimate login screen. Hidden in the app bundle is also an ad clicker which runs in the background and generates income for the app developers.


The app connects to ad URLS, and the ads were very similar to what users would see from typical adware, including tech support scams, random chrome extensions, fake flash and java installs and general low-quality sites.


Microsoft haven’t commented how this app managed to pass the Microsoft review process before ending up on the store.  This is somewhat concerning since it could mean other malicious apps of a similar nature have flown under the radar and are still infecting user’s computers. We are waiting for Microsoft to comment on the issue.

Continue Reading