LinkedIn Unintentionally Crowd Sources the “Intro” App

When LinkedIn came out with their new iPhone app “Intro” a couple months ago, the blogosphere went wild with questions and accusations that this was a prime example of a “Man-in-the-Middle” attack, which means that hackers or any kind of person or system can intercept information and do whatever they want with it.

If you’re unfamiliar with Intro, it’s an app that works around Apple’s mail client through a proxy server on LinkedIn’s end and installs a “profile” that works with LinkedIn to display the profile of any sender. This is supposed to prove that someone from another company sending you unsolicited email is “the real deal.” The mini profile on the mail client shows you the company he or she works for and an optional expanding menu of other information from his or her LinkedIn profile. This could be a handy tool for networking and, as LinkedIn proposed, help identify potential business opportunities.

The only problem with this app is the security risk. All of the emails sent and received are transmitted via the LinkedIn servers. LinkedIn says that “all communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system.” It’s that third-party system people are having trouble with, which many are referring to as the “Man-in-the-Middle.”

Once articles came out exposing Intro’s security issues, many bloggers updated their articles, reporting that LinkedIn responded to their questions and accusations immediately. LinkedIn seemed grateful to these bloggers for taking the time to test the app and find its potential security flaws so they could better address them. But shouldn’t they have addressed these security risks when they released Intro? Shouldn’t they have explained to the common iPhone user in layman’s terms exactly how the app works?

LinkedIn’s intentions are definitely good; they want people in the business world to have a way to seamlessly connect and network within their iPhone’s email, as so many people do business on-the-go. After the reports were released, they have even taken steps to explain and ensure security is as tight as can be. But is that enough? LinkedIn says their security team “isolated Intro into a separate network segment and implemented a tight security perimeter across trust boundaries” and also “performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking.”

Unfortunately, there are far too many people that could exploit the third-party middle man and use the app against both the user and LinkedIn. It’s hard to forget that in June 2012 nearly 6.5 million user accounts were hacked, revealing that LinkedIn only had basic security protocols in place, so it’s no surprise people are concerned about their handle on security. Many LinkedIn users will prefer the convenience or simply won’t know enough about how it really works within iOS to understand the potential security threats. Before using this app, you should ask yourself if it’s worth the risk to simplify one aspect of business offered by LinkedIn Intro.