LinkedIn's app transmits user data without their knowledge
iOS app collects users' calendar data and transmits it to the networking company's servers, without revealing the transmission to members, two mobile security researchers discover.
LinkedIn's iOS app is collecting information from calendar entries, including passwords and meeting notes, and transmitting it back to the company's servers without their knowledge, according two mobile security researchers.
The business-networking giant's app for Apple's iPad and iPhone has an opt-in feature that allows users to view their calendar entries within the app. However, researchers Yair Amit and Adi Sharabani discovered that once enabled by the user, the app automatically transmits users' calendar entries back to LinkedIn servers. Amit and Sharabani expect to present their findings at a security workshop at Tel Aviv University tomorrow.
The transmission of data, which is not revealed to users, may violate Apple's privacy guidelines, which prohibit apps from collecting and transmitting users' data without their express permission. Controversy erupted earlier this year when Path -- a popular iOS and Android application -- was without permission. Path issued an apology on the issue and introduced an updated version that required users to opt-in to the feature.
Apple promised a fix that would prevent the behavior in the future, and a U.S. House subcommittee sent a letter to Apple asking why it doesn't force app developers to ask users for permission before downloading contacts.
The researchers said they had contacted LinkedIn about their findings but that the issue has yet to be resolved. They also said they didn't believe the social network used the data in a malicious way.
"However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent," Amit said in a blog post describing the issue.
While user contact data is valuable in helping to attract more users to the app, the researchers said there was no legitimate reason for LinkedIn to be collecting calendar data.
"The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app's functionality," Amit said.
LinkedIn representatives did not immediately respond to a CNET request for comment but pointed out to the New York Times that the feature is an "opt-in experience" that users can opt out of at any time.
"We use information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person," LinkedIn spokesperson Julie Inouye said.
CNET has contacted Apple and will update this report when we learn more.
Updated at 8:55 p.m. PT with link to blog.