LinkedIn app under scrutiny for transferring iOS calendar entries
Security researchers are criticizing LinkedIn's iOS app for a feature that automatically transfers iOS calendar entries to the company's servers.
Skycure's Yair Amit and Adi Sharabani revealed their discovery ahead of a presentation at Tel Aviv University on Wednesday, The New York Times' Bits blog reports. Though the app's syncing feature does require a user's approval, the researchers criticized it for unnecessarily transmitting calendar entries and doing so in an unsecure manner.
?In some cases, grabbing users? sensitive data might be O.K. It is never right to do so without a clear indication. It is far worse when the sensitive information is not really needed in the first place. This is what we found in LinkedIn,? said Sharabani.
A spokeswoman from LinkedIn acknowledged the feature as a "clear 'opt-in' experience" and noted that it syncs to the company's servers only when the app is open.
?We use information from the meeting data to match LinkedIn profile information about who you?re meeting with so you have more information about that person,? said spokeswoman Julie Inouye.
The company also responding with a blog post explaining the feature. The post clarified that the data is being sent over a secure SSL connection and is not stored on LinkedIn's servers. Author Joff Redfern, the company's mobile product head, pledged to stop sending meeting notes and to provide a link to more information about how the data is being used.
However, Amit and Sharabani maintained that LinkedIn would only need "unique identifiers" for users and not all of the calendar information. To prove their point, they demonstrated how the password for a confidential financial conference call was being transmitted to the company's servers.
Source: The New York Times
LinkedIn was among a number of companies contacted by U.S. congressmen in March to address concerns over information collection and privacy.
The rise of the so-called "app economy" has made the issue of mobile application privacy a hot topic among researchers, legislators and privacy advocates. Earlier this year, the Path app was discovered to be uploading users' address books to servers. Path CEO Dave Morin quickly apologized and promised to delete the information. Apple CEO Tim Cook reportedly was upset by the revelation and "grilled" Morin over the issue at Apple's headquarters in Cupertino, Calif.
Apple has made its own changes in iOS to protect user privacy. Starting with iOS 5, Apple began deprecating developer access to unique device identifiers. Developers reported in March that Apple was rejecting apps that accessed UDIDs. Apple recently published a detailed guide geared toward enterprise customers that outlined the security features in iOS.
However, advertising companies have found workarounds to compensate for the loss of UDID tracking. One recent report suggested that ad networks are now using Open Device Identification Network and OpenUDID standards as substitutes.
Skycure's Yair Amit and Adi Sharabani revealed their discovery ahead of a presentation at Tel Aviv University on Wednesday, The New York Times' Bits blog reports. Though the app's syncing feature does require a user's approval, the researchers criticized it for unnecessarily transmitting calendar entries and doing so in an unsecure manner.
?In some cases, grabbing users? sensitive data might be O.K. It is never right to do so without a clear indication. It is far worse when the sensitive information is not really needed in the first place. This is what we found in LinkedIn,? said Sharabani.
A spokeswoman from LinkedIn acknowledged the feature as a "clear 'opt-in' experience" and noted that it syncs to the company's servers only when the app is open.
?We use information from the meeting data to match LinkedIn profile information about who you?re meeting with so you have more information about that person,? said spokeswoman Julie Inouye.
The company also responding with a blog post explaining the feature. The post clarified that the data is being sent over a secure SSL connection and is not stored on LinkedIn's servers. Author Joff Redfern, the company's mobile product head, pledged to stop sending meeting notes and to provide a link to more information about how the data is being used.
However, Amit and Sharabani maintained that LinkedIn would only need "unique identifiers" for users and not all of the calendar information. To prove their point, they demonstrated how the password for a confidential financial conference call was being transmitted to the company's servers.
Source: The New York Times
LinkedIn was among a number of companies contacted by U.S. congressmen in March to address concerns over information collection and privacy.
The rise of the so-called "app economy" has made the issue of mobile application privacy a hot topic among researchers, legislators and privacy advocates. Earlier this year, the Path app was discovered to be uploading users' address books to servers. Path CEO Dave Morin quickly apologized and promised to delete the information. Apple CEO Tim Cook reportedly was upset by the revelation and "grilled" Morin over the issue at Apple's headquarters in Cupertino, Calif.
Apple has made its own changes in iOS to protect user privacy. Starting with iOS 5, Apple began deprecating developer access to unique device identifiers. Developers reported in March that Apple was rejecting apps that accessed UDIDs. Apple recently published a detailed guide geared toward enterprise customers that outlined the security features in iOS.
However, advertising companies have found workarounds to compensate for the loss of UDID tracking. One recent report suggested that ad networks are now using Open Device Identification Network and OpenUDID standards as substitutes.
Comments
And everyone was bitching about the June 1 deadline to sandbox Mac App Store apps?
Given recent developer behaviors, I'd say we need more app sandboxing, not less.
Quote:
Originally Posted by AppleInsider
LinkedIn was among a number of companies contacted by U.S. congressmen in March to address concerns over information collection and privacy.
I'd be curious to find out if LinkedIn misrepresented their data collection techniques under oath.
Quote:
Originally Posted by SolipsismX
This is bad on Linkedin but it's also something Apple should address with added security not simply an honour system that 3rd-party devs will behave according to guidelines.
I think Apple should place access control on both contacts and calendar similar to both location and PN. However, the issue with LinkedIn is not unauthorized access to the calendar. It is that LinkedIn transferred all entries in the calendar. I don't know what was expected but if someone opted-in for calendar sync they should expect EVERYTHING to be synced.
My only issue is not encrypting the connection when syncing.
There still aren't encrypted connections for data? Apple should make that mandatory.
As for the other, in Address Book on the Mac the vCard export has the option to not export the notes section for contacts so I would have expected that notes are synced or accessible from the apps that do get access to Calendar.
The problem with using encryption in iOS apps is the extra paper work that needs to be done before submitting the apps. Any app using encryption must file special forms with the US government.
I detest LinkedIn.
This is documented. LinkedIn also steals contact details from your Google Account and uploads them.
http://privacylog.blogspot.com/2008/12/privacy-fail-linkedin-steals-private.html
Quote:
Originally Posted by SolipsismX
This is bad on Linkedin but it's also something Apple should address with added security not simply an honour system that 3rd-party devs will behave according to guidelines.
I do believe that the guideline is that they can't use your data without telling you that they intend to do it and requesting your permission. which LinkedIn says they do. So if this is true how are they violating guidelines. Seems that they aren't. So where's the failure in this 'honour system' that needs to be fixed. No where in this case.
Now would it be better if they set it up so that you could select exactly which calendars in the Calendar app are shared and thus you could set up a 'work' calendar and put your meetings on there etc. Sure, if that's not already in there it would be a good feature. But is it vital to be in compliance, probably not if they have the opt in set up and are clear that 'all' data is being shared.
Further there's no proof that they are lying about using SSL or not storing data. So again where is the non compliance. Frankly this sounds like a pile of basically FUD exaggerated so this security company can get some attention for their big discovery that isn't really that big.
Deleted app
Quote:
Originally Posted by Orlando
More bad news for people using LinkedIn. Hackers are claiming to have six million LinkedIn passwords and have posted the file on the Internet.
Yep, check out BBC for more details....