Security pros slam LinkedIn mobile app

Business social network LinkedIn has raised the ire of security specialists with a new iOS app that reroutes all of a user’s emails through its servers.

The new app, Intro, is designed to integrate LinkedIn users’ profiles with the Apple Mail app. It can, for example, display LinkedIn profile data along with the names of people who email a user. It can also display an email sender’s mutual connections, job description and past work history.

On the surface, this sounds like it would provide value for users while also serving as a clever way for LinkedIn to encourage greater use of the social network. But security experts have taken issue with the way it achieves its function.

Sophos Senior Security Analyst Graham Cluley has stated that the app “sends a shiver down my spine”. Security consulting firm Bishop Fox called aspects of the new app “a dream for attackers”. Sophos Global Head of Security Research James Lye said LinkedIn is effectively “advertising” for cybercrooks and nation states to “hack here”.

The app reconfigures iPhones to route all IMAP and SMTP data through a LinkedIn proxy server which will act as a middleman for email communications,  Bishop Fox wrote in a widely linked blog post. The app then scans emails to insert LinkedIn Intro information.

“‘But that sounds like a man-in-the-middle attack!’ I hear you cry,” the blog states. “Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing.”

The app by default changes the content of emails by including a new signature, Bishop Fox said. “The introduction of new data sources into a medium rife with security issues such as email is a dream for attackers.”

The new signature also means that cryptographic signatures can no longer be verified, and encrypted emails are likely to break for the same reason, the firm said.

Bishop Fox also brought up the controversy over US state surveillance program PRISM. “If I were the NSA and I hear everyone’s mobile phones were routing their emails through LinkedIn … well I know where I’m having my next birthday party.”

In his own blog post, Cluley said the Intro app is “pretty nifty” from an engineering perspective. “But from the security and privacy point of view it sends a shiver down my spine.” He pointed out that LinkedIn’s security and privacy records are not exactly spotless.

“In case you’ve forgotten, LinkedIn is the company which lost the passwords of over six million users last year. LinkedIn also scooped up the contents of users’ iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers - which they then transmitted in plain text, not encrypted,” he said.

“I’m not suggesting that it has created LinkedIn Intro with any malicious intentions (unless you consider them injecting an advertisement for their brand in every email malicious), but clearly security is not part of the company’s DNA - and that troubles me.”

In a guest post on Forbes.com, Cluley’s colleague Line meanwhile argued that if attackers managed to compromise LinkedIn Intro servers, the implications could be widespread.

“They would have access to a wide variety of users’ email and could conduct activities from credential harvesting, content manipulation or even delivery of malicious code or targeted scams,” he said. And for corporate email, he said breaking the encryption at a halfway point to inject Intro content would make it an attractive target for hackers, even though LinkedIn inserts its own encryption.

“LinkedIn’s new Intro service has put up a big sign advertising to cybercriminals, nation states and others - ‘hack here, we’ve got loads of juicy data’,” he said.

LinkedIn has been quick to defend the security of the Intro app against what it calls “inaccurate assertions ... that are not correct or are purely speculative”.  LinkedIn Senior Manager for Information Security Cory Scott said the company’s security team has “built the most secure implementation we believed possible”.

The credential handling and mail parsing/insertion code has undergone a line-by-line review by respected security consultancy iSEC Partners, he said. Furthermore, the app never persists mail in an unencrypted form, and encrypted content is deleted from the server once the user retrieves the email.

Scott also specifically refuted the claims from Bishop Fox. “We simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device,” he wrote. “We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox.”

But a common complaint among security experts is that Intro adds an extra layer of potential vulnerability to emails, without commensurate benefits for end users.

Image courtesy of Sheila Scarborough under CC