Experts have found that data is transmitted in clear text to the firm's servers
Researchers from Skycure Security have taken their time to analyze the iOS version of the LinkedIn application and they’ve discovered what they call a privacy issue. They have reached the conclusion after they found that the mobile app sends detailed calendar entries back to the company’s servers.The feature itself is interesting because it allows users to view their phone’s internal calendar inside the app. However, the fact that all the data is sent back to LinkedIn’s servers raises some concerns.
According to experts Adi Sharabani and Yair Amit, the application sends the list of meetings, subjects, locations, the time at which the meeting is scheduled, and even personal notes.
These last records are the most problematic because in many cases they contain conference details and even access passwords.
Amit and Sharabani highlight the fact that all customers who have opted in to the calendar feature are affected by this mechanism.
“While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines,” they explain.
Their belief is that LinkedIn isn’t collecting the information for malicious reasons. However, they do offer some advice to both LinkedIn and Apple on how to ensure that their customers’ privacy is not violated or exposed to certain risks.
First, LinkedIn should “refrain” from collecting full meeting details. Instead, the app should send only a relevant subset of data back to the servers. The fact that the data is sent back in clear text is also problematic, the experts recommending the use of hashes.
Finally, the company should clearly inform users on what data is collected.
As far as Apple is concerned, the Cupertino giant should, according to the researchers, improve its verification processes to ensure that apps don’t collect sensitive information without clearly notifying the user.