Researchers from Skycure Security have discovered that LinkedIn's iOS app has been gathering users' calendar data and transmitting it back to the social network's servers. As The Next Web reports, the company's app for iPhone and iPad has been collecting and dispersing these data without user permission, though this only occurs when a user opts-in to LinkedIn's calendar sync feature.
According to Skycure researchers Yair Amit and Adi Sharabani, data is transferred to LinkedIn only when a user chooses to view his or her iOS calendar within the app. Once that happens, the app collects information on any meetings scheduled within the previous five days, including meeting notes, appointment times, dial-in details, and the names of organizers and attendees. This practice extends to both personal and corporate calendars, and even implicates attendees who are not LinkedIn members. These data, moreover, are sent in plain text, without being cryptographically hashed.
Skycure's revelation raises the question of whether LinkedIn is in violation of Apple's privacy guidelines, which prohibit apps from transmitting personal data without user permission. LinkedIn spokeswoman Julie Inouye points out that the company's "calendar sync feature is a clear ‘opt-in’ experience," and that users can easily opt out by adjusting their device's settings.
The spokeswoman went on to say that LinkedIn relies on these calendar data to synchronize information across users who are attending the same meeting. "We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person," Inouye told the New York Times.
Less clear, however, is why LinkedIn would need so much information to begin with. According to Amit and Sharabani, all the company would really need to sync attendee profiles is a user's unique identifier. The motive behind collecting meeting notes, times, and dial-in passwords remains unclear, and LinkedIn has yet to address this issue.
Amit and Sharabani say they've already notified LinkedIn about their findings, but that the company's iOS apps are still sending out user data. The two researchers will present their findings at the Yuval Ne’eman workshop in Tel Aviv on Wednesday, and have just posted a more thorough breakdown of the issue on their blog,