Onavo and mobileAgent

Update: while I still think that Onavo is collecting more info than they let on (eg HTTPS), the "crashing" problem is more around mobileAgent's handling of a proxy, than Onavo's specific proxy. Same may be true for Giffgaff. If you are having problems with the latest mobileAgent, get in touch

I've had a few people recently reporting issues with mobileAgent not being able to work when they are on a 3G connection, but it works fine on WiFi.

I've (with the help of these users - thanks!) narrowed it down to two things:

If you are on GiffGaff (a mobile virtual network operator on top of O2), then this may be the cause of your problem. Not always, but often. If you can, try it with another provider (even O2).

But more likely, if you use a service (in the form of an app) called Onavo Extend, or just Onavo, then that is the problem. (iTunes store link)

Onavo is a "man in the middle" proxy, which markets itself as a "By compressing your data, Onavo Extend can increase the power of data plan by up to 500% -- giving you the ability to do up to five times more with your current data plan without any additional fees or hassles.". It works by sending all your 3G traffic to their servers, and they tightly compress the data - including turning good quality jpgs into awful quality, blocky (but a lot smaller) jpgs. Great idea, I must say, if you are happy with the results and side effects.

They claim they do not mess with HTTPS (secure/encrypted) connections, which is what mobileAgent uses to talk to FreeAgent, but really, they can't NOT mess with it, and turning it off fixes the problem. This is especially worrying (from their FAQ):

'Cannot Verify Server Identity' - what is that?
This message is a note from your iPhone informing you that your email is being compressed by Onavo Extend. Click ‘Continue’ and you'll be good to go (and will not be asked again). If you prefer not to shrink your emails, tap the Settings button in the app and set the Email Compression option to OFF

What this actually means is:

"I tried to talk to mail.google.com, but someone else replied, who I couldn't verify was mail.google.com. What do you want to do?".

This is the sign (one of them) of a man-in-the-middle attack. The answer, unless you know why the certificate is not valid, should always be NO. The TL;DR version is: this is very very bad and very very insecure.

So, if you use Onavo, turn it off. Please. Data, especially in the UK, is cheap. Your privacy shouldn't be. (and it'll make mobileAgent work, too!)