Apple’s new App Store privacy guidelines restricting apps that collect data on users’ friends—specifically, the address books of iPhone users—already seemed to be in large part a response to Facebook’s sprawling Cambridge Analytica data scandal. But the company could also be targeting Facebook’s Onavo Protect VPN service, which poses as a way to grant users anonymity from service providers and websites but is explicitly designed to vacuum up huge amounts of data on the device usage habits of anyone who enables it.
Bloomberg, which reported on Apple’s crackdown on contact collection on Tuesday, published another article today suggesting that another update to the App Store guidelines banning the collection of other app data for “analytics” or profit could be a big middle finger to Onavo:
The iPhone maker’s updated App Store Review Guidelines ban applications that “collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing.” This could give Apple grounds to remove the Onavo app, although the software is still available despite the rules kicking in last week.
Apple’s new guidelines “sound like they’re almost written in response to what Onavo and others have been doing,” said Will Strafach, a researcher who has studied Onavo Protect and focuses on the security of Apple’s iOS mobile operating system. A Facebook spokeswoman declined to comment.
As Bloomberg noted, Apple already uses a technique called sandboxing to prevent apps from harvesting data from other apps via the device, but Onavo relies on analyzing “mobile data traffic.” That seems more or less like the kind of practice Apple is trying to end on the App Store, and it could also apply to other VPNs that spy on iOS users for marketing purposes as well.
According to CNBC, documents provided by Facebook in response to congressional inquiries amid the company’s far-ranging Cambridge Analytica scandal say that while Onavo data is not connected to Facebook accounts, the company “does look at Onavo’s broad data sets to see what types of products are popular and how customers are using them.” For example, Onavo data helped Facebook decide to buy WhatsApp, the popular encrypted messaging service that it then heavily integrated into its ad network.
Onavo Protect is still listed on the App Store as of late Tuesday evening, but if it disappears it could be a sign that the Apple-Facebook standoff that has long been brewing is heating up. Alternately, Facebook could simply change Onavo’s data-collection practices for the iOS version of its app or simply hope that its sheer clout prevents Apple from taking action (probably a very bad bet, given Apple explicitly used Facebook as an example of a bad actor at its recent WWDC 2018 conference).
Either way, Onavo is a great example of corporate spyware, so if it’s booted off the App Store the only tears shed will be crocodile ones.