Facebook's Onavo Protect VPN can gather user's psychological profiles

27 Mar 2018

Whilst reviewing Facebook’s Onavo Protect VPN review, VPNSpecial.com experts discovered it contained the traces of HotKnot library, which could be enabling tracking of purchases completed with Android devices having the HotKnot mobile payments chip.


Image above displays decompiled Onavo Protect VPN source code directory/file list

In the midst of growing concerns about Facebook's stance regarding privacy of its users, Facebook decided to release a free VPN service called Onavo VPN for all its users. The move has been massively criticised since the start, pointing out Facebook's long standing tradition of privacy invasions. 
Even the VPN app’s description states that all browsing data is actually collected by Facebook to improve its products and services, thus making the VPN obsolete.
According to Google Play, Android version of Onavo Protect alone has already been installed between 10 million and 50 million times. The popularity of Onavo and of other free VPNs, such as HotSpot Shield,  shows many users might not fully understand what they are getting themselves into. 
After VPNspecial.com started a minor investigation of Onavo VPN’s Android application, it noticed wht it calls "a few worrying flaws, which might prove that Facebook's free VPN is doing much more than just collecting data for Facebook and Onavo service improvement."
After downloading the Onavo Android application .apk file, we de-compiled it and opened it with Android Studio. Soon, we noticed that Onavo uses HotKnot, which is mostly used to exchange data by touching two compatible devices one with the other. However, by doing that, a user is also able to make a payment and that information might be tracked. 
HotKnot is usually used by AMR processors in Chinese and Asian markets for collecting data and using it for market research:
We reported our findings to Facebook and were told that HotKnot was not being used with Onavo VPN. After we provided sufficient proof that the files are actually there, the response was more elaborate: "While we did not use them (the functions are empty as you can see when decompiling), they have been removed and will not be included in new versions of Protect."
Considering that Facebook is inaccessible in China without VPN and that the majority of Chinese citizens are using one, it does not surprise that Facebook decided to access this steadily growing market. Facebook is simply doing what it always does - collecting the maximum possible amount of data, which it can sell or use afterwards.
The use of HotKnot, in addition to the usual Facebook tracking features, would allow Facebook to know its users’ shopping habits, and by correlating the purchase information with geo-location, would be able to gather much more in-depth information, such as psychological profiles and deeply personal preferences.
While Onavo might be helpful to some Facebook users who live in countries with oppressive governments and Internet censorship,  others should steer away in order to protect their privacy.