LinkedIn Intro iOS app intercept user’s emails in iPhone and much more

Pierluigi Paganini October 26, 2013

LinkedIn launched LinkedIn Intro app for iOS to show LI profiles right inside the native iPhone mail client. Which is the effect on privacy and security?

LinkedIn, like any other social media platform is a mine of information for internet users, due this reason the number of attacks against it are soaring. The principal social media are integrating their offer with new services extended also to mobile platforms. LinkedIn for example has launched a new app for for iOS devices called Intro ‘LinkedIn Intro‘ that allow to Apple’users to display a picture of the sender, and other useful profile info from LinkedIn, when they receive an email.


How does it work?

Simple, to use the service, a LinkedIn user must route all of their emails (e.g. Hotmail, Gmail, Yahoo, etc.) through LinkedIn’s ‘Intro’ servers, which will inject necessary code to display info related to the profiles in his emails.

The following image shows the way LinkedIn Intro propose the information.


LinkedIn Intro feature

The downside it that LinkedIn have to access the content of user’s emails to implement this feature and also can manage the user’s passwords for his email accounts on other providers, the consequences for privacy and security are clear.

LinkedIn replied to the accusations sustaining that the process is totally secure, according the company during the installation the servers only temporarily cache user’s password to add a new Mail account to user’s device, and the password is cached just for the time necessary to install LinkedIn Intro, and anyway never for more than two hours.
Even, LinkedIn also accesses to the contents of users’ iOS calendars, notes and call-in numbers, which they then transmitted in plain text, not encrypted.

Considering that Apple doesn’t provide any development tool (e.g. APIs) to implement the feature it is conceivable that LinkedIn operated asman in the middle to intercept the email to inject that HTML code.

Normally your device connects directly to the servers of your email provider (Gmail, Yahoo, AOL, etc.), but we can configure the device to connect to the Intro proxy server instead. The Intro proxy server speaks the IMAP protocol, just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.

LinkedIn Intro feature2
Senior Software Engineer at LinkedIn Martin Kleppmann explaining in a blog post that LinkedIn Intro doesn’t represent a menace to a user’s security, users have in fact to install LinkedIn Intro app manually and all user data including credentials and email are not permanently stored by LinkedIn but are archived on the user’s iPhone.
“We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our pledge of privacy.”
Personally I have no doubts … considering the recent revelations on the US surveillance programs I’m not able to find the utility of features such as LinkedIn Intro that in my humble opinion could enlarge our surface of attacks and menace user’s privacy.

Pierluigi Paganini

(Security Affairs –  LinkedIn Intro, privacy, mobile)

you might also like

leave a comment