LinkedIn app uploads complete calendar entries
Source: The Next Web
The most recent versions of the LinkedIn application (iOS, Android) lets users add their own calendars in order to automatically pull profile information about other meeting participants from the social network. According to an analysis by two security researchers at Skycure Security, however, once this feature is activated, the app uploads not only the meeting participants to the LinkedIn servers but also all the other information about the user's appointments.
Every time the LinkedIn app is opened, it apparently uploads – in plain text – all calendar data for the next five days, including the title of each appointment, time and location, organiser, participant names and email addresses, and appointment notes. While the information is apparently encrypted on the way to the company's servers, all data being sent is accessible to LinkedIn on the other end.
In a recent blog post, the company emphasised that data is only transferred when the app is open and after the user has given permission. LinkedIn also points out that the feature can be turned off at any time in the settings and that data is sent over an encrypted SSL connection. Calendar information is not saved, says the company, nor is it used for any other purpose besides matching meeting participants with their LinkedIn profiles. Joff Redfern, mobile product head at LinkedIn, writes that the additional meeting information is transferred to improve this matching process.
The social network has promised to stop transferring information from meeting notes to its servers and to give users more information within the app about how their calendar data is being used. The latest version of the Android app already includes these changes and version 5.0.3 of the iPhone app, shipped today, includes the innocuously titled "improvements in calendar" feature.
In the past few months, careless handling of user data has called attention to a number of smartphone applications providing various services; Path, for example, sent users' entire address books to its servers without asking or even informing them. While Android applications must receive user permission for access privileges before installation, Apple has so far trusted developers who want address book and calendar access to include a notice and get users' agreement but has stated that an upcoming iOS update will also warn users when an application wants to access their address book. There is no word on whether the same warning will apply to user calendars.
- LinkedIn passwords in circulation – Update, a report from The H.