LinkedIn Intro: Potential Security Problems?

The latest new release from LinkedIn is LinkedIn Intro, a mobile product that works in conjunction with the iPhone Apple Mail app, released in English for all users worldwide at the end of October. If you activate LinkedIn’s new Intro service, when viewing email in Apple Mail on your iPhone, a bar will pop up that shows you the person’s LinkedIn profile photo, professional headline and location right in the email message. Tapping on the bar brings up additional information, including some of your mutual connections, their LinkedIn profile summary, occupations and educational information.

The program supports Gmail, Google Apps, Yahoo! Mail, AOL Mail, and iCloud, and it works by rerouting your email through LinkedIn’s Intro servers in order to scan them for certain content which enables them to provide the LinkedIn information as an overlay to the original email message.

According to LinkedIn, the app was developed in response to the fact that more and more people are viewing email on mobile devices, rather than at their desktop computers. The purpose behind LinkedIn Intro is to help users use email more effectively, without having to leave the email app to get more information; if you receive an email from someone that you don’t already know, LinkedIn Intro will help you to identify whether the email is legitimate (coming from a real person with whom you may have a connection) or simply spam. And by providing information from LinkedIn within the email itself, you can create a better response.

Immediately after LinkedIn Intro was announced, commentary started making the rounds on the internet raising the security alarm, claiming that LinkedIn Intro was not secure, posted a threat to users, and changed the security profile of devices using LinkedIn Intro. LinkedIn posted a response to these comments, stating the security measures taken by the LinkedIn team prior to launching Intro, and clarifying that devices using the service would not have their security profiles changed. A number of people who posted online about potential security problems with LinkedIn were directly contacted by members of LinkedIn’s security team to help make the product more secure. For example, see this post written by a security and programming blogger who hacked in to LinkedIn Intro to show some vulnerabilities and the follow up post which describes what LinkedIn did in response to close up that vulnerability.

LinkedIn has advised that user names, passwords and email content are not stored permanently on LinkedIn’s servers; as soon as the email is retrieved by your device, it is removed from LinkedIn’s servers. Communication between the Mail app and LinkedIn’s servers, as well as between the LinkedIn Intro servers and your email provider (Gmail, etc.) are fully encrypted. However, the fact remains that by activating LinkedIn Intro on your device, you are allowing your email to be run through LinkedIn’s proxy servers, which can create potential vulnerabilities.

LinkedIn Intro is an optional service, and to get it, you have to opt in on your device. Before you do so, make sure you understand the potential issues and decide for yourself whether you trust LinkedIn and its servers with your email – and whether your firm’s email security policies allow it.