Apple has updated its rules to restrict app developers’ ability to harvest data from mobile phones, which could be bad news for a Facebook-owned data security app called Onavo Protect.

Onavo ostensibly provides users with a free virtual private network (VPN) which, it claims, helps “keep you and your data safe when you browse and share information on the web”. What is not immediately obvious is that it feeds information to Facebook about what other apps you are using and how much you are using them back to the social networking giant.

“The problem with Onavo is that it talks about being a VPN that keeps your data private, but behind the scenes it’s harvesting your data for Facebook,” said Ryan Dochuk, CEO of the paid-for VPN TunnelBear. “It goes against what people generally expect when they use a VPN.”

Onavo has been a Trojan horse for Facebook (in the classical sense, not as malware), allowing it to gather intelligence on the apps people use on tens of millions of devices outside its empire. This real-time market research highlights which apps are becoming popular and which are struggling. Such competitive intelligence can inform acquisition targets and negotiations as well as identify popular features it could copy in rival apps.

As first reported by Bloomberg, Apple’s new App Store rules explicitly ban the collection of “information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing”, which appears to be intentionally worded to clamp down on apps like Onavo.

“Apple has been very clear that it’s pro-privacy,” ,” said Joseph Jerome, a privacy specialist from the Center for Democracy and Technology, “and with every iteration of iOS [Apple’s mobile operating system] has been trying to restrain the ability of apps to know what’s going on on the device if a user hasn’t authorised it.”

Onavo started life in Tel Aviv in 2010 as a startup that helped people reduce their wireless bills by compressing incoming data on an iPhone or Android device. It also highlighted which apps were using the most data. For mobile publishers, it provided analytics to help them keep track of how their apps were performing against competitors. In May 2013, it launched a VPN called Onavo Protect, which promised to protect people’s data when they were browsing the web from their phone on a public wifi network.

Facebook bought the company in October 2013 for an undisclosed sum, estimated to be between $100m and $200m.

Onavo provides information to Facebook about what other apps you are using and how much you are using them. Photograph: Christophe Morin/IP3/Getty Images

VPNs work by redirecting and encrypting all data leaving your computer, phone or tablet and sending it to another server in another location. They position themselves as tools for protecting people’s privacy and security, but that very much depends on who is running the VPN and how they make their money.

“This server is in a really privileged position,” said Dochuk. “Essentially, it needs 100% of consumer trust because 100% of their data is going through that server.”

This means whoever runs the VPN knows which apps are installed on your device and how much you use them; which websites you visit; and your device type and location.

There are some VPNs, such as TunnelBear, that cover their server and bandwidth costs through paid subscriptions and others, like Hola and Onavo, that provide a free service to the end user, but extract value from the data they collect or by selling people’s unused bandwidth.

“If you’re not paying with your money you are probably paying with your data,” said Will Strafach, a security specialist who has analysed the Onavo app.

According to the Wall Street Journal, Facebook employees have put the Onavo data to good use by monitoring the performance of rival Snapchat, particularly after Facebook’s Instagram app launched similar features. Onavo’s data also reportedly helped guide Facebook’s decision to buy WhatsApp for $19bn in 2014 and to clone the popular group video chat app Houseparty.

In written questions following CEO Mark Zuckerberg’s congressional testimony in April, lawmakers asked Facebook whether its use of data gleaned from Onavo violated the privacy consumers expect of a VPN.

Facebook said that it explained what data it would receive when a user installed the app.

“This helps us improve and operate the Onavo service by analysing your use of websites, apps and data,” Onavo Protect’s App Store messaging reads. “Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.”

Users have to accept these terms before using the app.

The company has acknowledged it uses Onavo to monitor competitors, but it insists this is not unusual: “Websites and apps have used market research services for years.”

Facebook said it did not connect the app usage data collected through Onavo to the data collected from an individual’s Facebook account.

Strafach said it would be easy for Facebook to connect the data if the person also had the Facebook app installed on their phone.

“You just have to trust that they are not doing that,” he said.

Given Facebook’s recent track record with data privacy, that trust may have slightly eroded.