Friday, October 25, 2013

LinkedIn Intro brings LI info into your iOS Email, as well as security concerns

Does anyone remember June of 2012, when hackers managed to get their virtual hands on 6.5 million LinkedIn passwords? We do, and you should to, at least if you want to use LinkedIn's new Intro service, which LinkedIn launched on Wednesday.

Apple has not made the native iOS Email app extensible, so how could LinkedIn do this, short of using an app for jailbroken devices?

Intro literally injects the LinkedIn info of email senders into your emails, such that it can be displayed in the built in iOS Email app. You give the company the email credentials of your accounts -- except for Gmail, where the company uses the more secure OAuth protocol -- and Intro works as a middleman service, taking the email content and injecting LinkedIn information in the form of HTML into the email.

[As part of the installation process, a user is also required to add a configuration profile that contains a set of signing certificates.]

If it sounds slick, it is, and LinkedIn was very self-congratulatory in its own blog post on the release. In fact, the title of the post was "LinkedIn Intro: Doing the Impossible on iOS."

However, is this something you really want? You have to give the company your email credentials. While we expect that LinkedIn is a safe provider, we can't necessarily add the word "secure" to that, based on last June's events.

In June of 2012, hackers not only broke into LinkedIn servers and acquired 6.5 million passwords, it was also -- that same month -- reported that LinkedIn collected and transmitted names, emails and notes from users’ calendars without explicit permission —- and in plain text.

These sorts of issues make us question the sanity of giving LinkedIn our credentials. The havoc that a hacker could wreak on our lives with our email information is huge. While not explicitly violating any Apple developer TOS rules, Mail isn’t extensible for a good reason: Email is a good way to get malware, and Apple wants to ensure that the sandboxed nature of it apps protect a user from malicious code that could otherwise execute outside the mailbox.

Given that, we wouldn't be surprised if Apple booted the app from the App Store. We also wouldn't be surprised if it wasn't booted, since Intro doesn't explicitly violate any TOS.

On the other hand, this violates our safety standards, and we will give it a pass.

No comments: