"We work hard to protect user privacy and data security throughout the Apple ecosystem," an Apple spokesperson said in an email to CNBC on Wednesday. "With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user's device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used."
According to a Wall Street Journal story on Wednesday, citing a person familiar with the matter, Apple officials told Facebook last week that Onavo violated the company's rules on data collection by developers, and suggested last Thursday that Facebook voluntarily remove the app.
Facebook acquired Israel-based Onavo in 2013, snapping up the free security app that lets users access a virtual private network, or VPN, to browse the web and download apps with a greater degree of privacy. Facebook in the past has offered that service to users without clearly disclosing that it owns the app, and has collected data about what other types of apps those customers use.
In June, Facebook told Congress that it does not use Onavo data "for Facebook product uses" or to collect information about individuals, but it has admitted to using Onavo to gather broad information about which apps are popular and how people are using them, which it uses to improve its own products.
Facebook said in a statement that it's transparent with Onavo users.
"We've always been clear when people download Onavo about the information that is collected and how it is used," the company said. "As a developer on Apple's platform we follow the rules they've put in place."
The Onavo controversy is yet another setback for Facebook, which is dealing with an onslaught of criticism for how the platform was exploited by foreign actors ahead of the 2016 presidential election. On Tuesday, the company held a call with reporters to discuss its latest removal of hundreds of pages and content originating in Iran and Russia for "coordinated inauthentic behavior."