You have to intercept to gather metadata... but semantics aside, they are deceiving users.
First there is the marketing scam reported in the app store reviews, people who installed it because some web site told them they have a virus and they need this thing to fix it.
Second, the only mention of their logging practices is buried below the fold in the last line of their description: "Onavo receives and analyzes information about your mobile data and app use." This is just vague enough to deceive a user that believes it is merely to support their user-facing features, i.e. giving you a report on what you use... not Facebook for spying purposes. Of course, most users never even get that far in the description. They're installing this to "secure their phone" because of a scary ad they saw.
These guys know exactly what they're doing. Most of their users, not so much. That's where we come in. The App Store exists to help protect users from this kind of exploitation and I hope Apple and our community takes action.
some web site told them they have a virus and they need this thing to fix it
I did some investigating of one of those sites, and from what i can tell, they are using App Store affiliate links, and rotating amongst a handful of accounts. If they can convince you that you have a virus, and they take you to the $30 Symantec app that has good reviews, they get a nice commission. Symantec doesn't even have to have anything to do with those sites.
They just want to know how much do you use each app on your phone and not anything related to the TCP exchange. Therefore no MITM has to take place.
The rest, I fully agree with you: one deception paves way to another. I think just making users aware that it's Facebook tracking their app usage and not some "Onavo" would be enough for people to think better about their privacy.
> First there is the marketing scam reported in the app store reviews, people who installed it because some web site told them they have a virus and they need this thing to fix it.
This is common and I am not entirely sure Onavo supports this wittingly. Most times that I have seen it, the ad redirects to the "Norton Wi-Fi Privacy" page on the App Store instead.
Agreed on point #2, they should be much more clear on what they do with user data.
First there is the marketing scam reported in the app store reviews, people who installed it because some web site told them they have a virus and they need this thing to fix it.
Second, the only mention of their logging practices is buried below the fold in the last line of their description: "Onavo receives and analyzes information about your mobile data and app use." This is just vague enough to deceive a user that believes it is merely to support their user-facing features, i.e. giving you a report on what you use... not Facebook for spying purposes. Of course, most users never even get that far in the description. They're installing this to "secure their phone" because of a scary ad they saw.
These guys know exactly what they're doing. Most of their users, not so much. That's where we come in. The App Store exists to help protect users from this kind of exploitation and I hope Apple and our community takes action.