Security experts warn against using LinkedIn app for Apple iPhone

App embeds link to an email sender's profile and could compromise security of the device

The new LinkedIn iPhone app that embeds a link to an email sender’s profile on the professional network presents a number of security risks and should not be used, experts warned.

Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of “hijacking email.”

Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof  Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.

On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a “marginal convenience feature at best.”

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client,” Gene Meltser, technical director at Neohapsis Labs, said.

LinkedIn has defended Intro, saying the criticism is based on “inaccuracies and misperceptions“.

Wright’s spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.

His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.

While his proof-of-concept would be benign to an email recipient, “it would be just as easy to attach a malicious payload, request sensitive information, etc.,” Wright said.

Fox compared Intro to a “man-in-the-middle” attack, because all messages go through LinkedIn servers and are analyzed and scraped for data “pertaining to whatever they feel like it.”

Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.

“You are effectively putting your trust in LinkedIn to manage your users’ device security,” Fox said.

Continue reading by clicking the source link below.

Source: NetworkWorld

Infographic Reveals Users Average Amount of Time Spent on Social Networks Each Month

The law firm Morrison and Foerster’s Socially Aware Blog have managed to gather the relevant data on how much time one spends on Facebook, Twitter, Google+ and other social networking websites.

Google+ gets about 100 million active users per month, while Facebook comes in at an impression 1 billion. This data has been translated into how many hours these networks are used.

It seems that the average user on a monthly basis spends close to 7 hours on Facebook, and a rather meager 3 minutes on Google+. Interestingly though it seems that their data has revealed that on average users spend only 21 minutes a month on Twitter.

Source: Ubergizmo