Security experts warn against using LinkedIn app for Apple iPhone

image
App embeds link to an email sender's profile and could compromise security of the device

The new LinkedIn iPhone app that embeds a link to an email sender’s profile on the professional network presents a number of security risks and should not be used, experts warned.

Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of “hijacking email.”

Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof  Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.

On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a “marginal convenience feature at best.”

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client,” Gene Meltser, technical director at Neohapsis Labs, said.

LinkedIn has defended Intro, saying the criticism is based oninaccuracies and misperceptions“.

Wright’s spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.

His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.

While his proof-of-concept would be benign to an email recipient, “it would be just as easy to attach a malicious payload, request sensitive information, etc.,” Wright said.

Fox compared Intro to a “man-in-the-middle” attack, because all messages go through LinkedIn servers and are analyzed and scraped for data “pertaining to whatever they feel like it.”

Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.

“You are effectively putting your trust in LinkedIn to manage your users’ device security,” Fox said.

Continue reading by clicking the source link below.

Source: NetworkWorld

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s