There’s a lot of buzz regarding LinkedIn’s new iOS app – Intro. Some are hailing it, others hate it. To clarify what’s going on, we’ve put together this FAQ.
Q: What’s LinkedIn Intro?
A: It’s LinkedIn’s iOS extension for mail. As opposed to other mail apps which “simply” provide you with the name of the sender, Intro allows you also to see the sender’s LinkedIn profile info.
Q: Why the complaints?
A: It’s how LinkedIn does this email enhancement. In order to add the LinkedIn info, incoming emails through Intro actually make a stop at LinkedIn servers before proceeding to your inbox. Most disturbing is that LinkedIn intercepts all communication – basically, modifying the content of emails that you receive.
In security jargon, LinkedIn is performing what’s called a “Man-in-the-Middle” – eavesdropping and intercepting communications between the device and the email server.
Q: But LinkedIn doesn’t have malicious intentions. Why should I care that they do that?
A: For one, you’re giving your email information to a third-party, without necessarily knowing or planning, that you’re doing that (Doesn’t “Next, next, next” sound familiar when installing apps and configurations?).
Second, consider the seemingly innocuous data (such as sender and recipient’s addresses and location) flowing through LinkedIn servers. All this data – gathered from your device, from recipients, from groups, circles (you get the point!) – is put together. Ultimately, you’ve given LinkedIn much more information than you bargained for… You and the hiring company are not the only ones now knowing you’re planning on leaving your job.
Q: Sounds like this raises even more security and privacy implications.
A: Precisely. Consider, for instance, the legal ramifications when the email is confidential between you and the recipient. Yet, it passed through another party. It could be that sensitive business material regarding the company’s Intellectual Property, sales meetings, etc. is being communicated. Yet, these emails are being intercepted.
Consider also the case where LinkedIn servers are breached and the stored data is leaked. Your information now isn’t only in the hands of LinkedIn.
Q: How can LinkedIn technically re-route all the emails through their servers?
A: LinkedIn does this by asking you to install a configuration profile. A configuration profile is an extremely sensitive feature which allows re-defining system functionality parameters such as device, mobile carrier and network settings.
LinkedIn’s configuration profile includes certificate information (i.e. a stamp of authenticity). It also defines a unique email account on the LinkedIn servers for each email account you have. In turn, the LinkedIn email accounts link to your respective email accounts.
The reason that LinkedIn does this through a configuration profile is basically to circumvent mail apps security mechanisms. Mail apps do not allow extensions for the simple reason that emails are intended to be kept private and not altered. However, aconfiguration profiles jumps over those security hurdles.
Q: Can I view the different profiles that are currently installed on my devices?
A: Sure, if you have any profile, they’ll appear under the device’s Settings->General->Profiles.
Each email account that you have has a corresponding Intro configuration profile. The name of the profile follows: Intro+NameOfYourUsualEmailAccount
Q: Can malicious parties also use configuration profiles to re-route traffic through their servers?
A: Yes. A user may be tricked to download a malicious configuration profile. Depending on the malicious profile, the device can be configured to re-route email traffic. But capabilities can also include the installation of rogue apps, and even the decryption of communications.
Q: Were there any known incidents where a party installed a malicious profile on an individual’s device, without their knowledge? Is this what the NSA is alleged to have done to leaders in various countries, such with Germany’s Chancellor, Merkel?
A: In August 2012, and then again in March 2013, researchers exposed a highly sophisticated mobile attack tool, named FinSpy. FinSpy reportedly targeted journalists and civilian activist groups worldwide. FinSpy activated the mobile’s microphone, took screenshots and bypassed encryption methods and communications.
We have no idea whether the NSA conducted any mobile espionage. If the claims are true, then most likely the eavesdropping was performed in a different manner – not through malicious configuration profiles.
Q: Does LinkedIn perform similar activity for Android devices?
A: No. The Android OS does not provide the option of adding a feature with similar capabilities as a configuration profile.
Q: Any recommendations?
A: As for LinkedIn Intro, we recommend you not to install it.
If you had already installed Intro, then you can uninstall it using the Intro Web app which removes the configuration profile. To avoid any surprises, be aware that behind the scenes a new configuration profile is downloaded. This new configuration profile overrides the previous configuration and its email account settings. It is important to note though that if you’re using Gmail as your email provider this will still not revoke the LinkedIn Intro account access to your Gmail account. You will need to manually go to your Gmail account settings and revoke LinkedIn’s access to your account.
In general, as a best practice, always check your configuration profiles. The configuraiton profiles will usually contain Access Point Name (APN) definitions of your mobile operator, and a VPN in case you’re accessing corporate resources. The configuation files appear under Settings->General->Profile. If any of the details there sound dodgy, it might actually be.
Q: Where can I read more?
- TechCrunch provides a great short summary of the feature – http://techcrunch.com/2013/10/24/do-not-want/
- Our friends at Bishop Fox put together a great blog entry on the 10 reasons why not to install Intro –