LinkedIn Mobile App Sending all User Info to Servers
As the popularity of social networking continues to grow, many people are using them to take advantage in the business world. For example, LinkedIn is a social network specifically for business people; it allows them to maintain their schedule, create appointments and reminders, and to keep in touch with their respective business partners and colleagues. LinkedIn even has a mobile app which offers all the same great features on the go. However, the users of this mobile app may be a little surprised to know that their personal information is being sent directly to LinkedIn’s servers without their knowledge or consent.
The findings of the research into this case will soon be presented at the Tel Aviv University. The study was conducted by a pair of mobile security experts named Yair Amit and Adi Sharabani. They are the ones who discovered the procedure in LinkedIn’s mobile app. In the mobile app, there is an option to view a user’s full calendar on the app, similar to what the user would expect to see on the website while sitting on a computer. However, as soon as users decide to being using that option to view their calendars, LinkedIn automatically begins transmitting all of the information from that calendar to their own company servers. That may include tons of personal or financial information, not to mention that this operation is done without the knowledge or specific consent of the users..
In addition to all of the implications of what LinkedIn can do with this information, it may also be a direct violation of Apple’s privacy guidelines, to which all apps and programs must abide before becoming available on the iPhone or iPad. A similar practice came to light earlier this year when a developer noticed that Path, the popular mobile social network, was uploading entire address books to its servers without users’ knowledge. That practice came under scrutiny by members of Congress. In response, Path said it would stop the practice and destroy the data it had collected.
App makers covet such data to help quickly expand the network of people who use their program. But in LinkedIn’s case, Mr. Amit and Mr. Sharabani say, there is no legitimate reason why LinkedIn would need to transmit and store detailed calendar entries and meeting notes on its servers.
“In some cases, grabbing users’ sensitive data might be O.K. It is never right to do so without a clear indication. It is far worse when the sensitive information is not really needed in the first place. This is what we found in LinkedIn,” said Mr. Sharabani.
Asked about the practice, Julie Inouye, a LinkedIn spokeswoman, said that the company’s “calendar sync feature is a clear ‘opt-in’ experience” that syncs only when the LinkedIn app is open and that members could opt out of the calendar feature at any point. (In the iPhone or iPad, go to Settings, go to LinkedIn and slide off the “calendar” option.)
“We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person,” Ms. Inouye said.
She did not clarify why LinkedIn transmits calendar information to its servers.
“In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn needs is unique identifiers of the people you are going to meet with, not all the details of your planned meetings,” Mr. Amit and Mr. Sharabani wrote in an e-mail