LinkedIn’s Leaky Mobile App Has Access to Your Meeting Notes

LinkedIn mobile app subscribers may be surprised to learn that the calendar entries on their iPhones or iPads— which may include details about meeting locations, participants, dial-in information, passwords and sensitive meeting notes — are transmitted back to LinkedIn’s servers without their knowledge.

Mobile security researchers will present those findings at a security workshop at Tel Aviv University on Wednesday. The researchers, Yair Amit and Adi Sharabani, discovered that LinkedIn’s mobile app for iOS, Apple’s mobile operating system, included an opt-in feature that allows users to view their iOS calendar entries within the app. Once users opt in to that feature, however, LinkedIn automatically transmits their calendar entries to its servers. LinkedIn grabs details for every calendar on the iOS device, which may include both personal and corporate calendar entries.

That practice, which is not communicated to users, may violate Apple’s privacy guidelines, which expressly prohibit any app from transmitting users’ data without their permission. A similar practice came to light earlier this year when a developer noticed that Path, the popular mobile social network, was uploading entire address books to its servers without users’ knowledge. That practice came under scrutiny by members of Congress. In response, Path said it would stop the practice and destroy the data it had collected.

App makers covet such data to help quickly expand the network of people who use their program. But in LinkedIn’s case, Mr. Amit and Mr. Sharabani say, there is no legitimate reason why LinkedIn would need to transmit and store detailed calendar entries and meeting notes on its servers.

Calendar entries grabbed by LinkedIn's mobile app could provide details of private conference calls or meeting attendees.Yair Amit and Adi SharabaniCalendar entries grabbed by LinkedIn’s mobile app could provide details of private conference calls or meeting attendees.

“In some cases, grabbing users’ sensitive data might be O.K. It is never right to do so without a clear indication. It is far worse when the sensitive information is not really needed in the first place. This is what we found in LinkedIn,” said Mr. Sharabani.

Asked about the practice, Julie Inouye, a LinkedIn spokeswoman, said that the company’s “calendar sync feature is a clear ‘opt-in’ experience” that syncs only when the LinkedIn app is open and that members could opt out of the calendar feature at any point. (In the iPhone or iPad, go to Settings, go to LinkedIn and slide off the “calendar” option.)

“We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person,” Ms. Inouye said.

She did not clarify why LinkedIn transmits calendar information to its servers.

“In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn needs is unique identifiers of the people you are going to meet with, not all the details of your planned meetings,” Mr. Amit and Mr. Sharabani wrote in an e-mail.

Mr. Amit and Mr. Sharabani said they had communicated the problem to LinkedIn’s risk and privacy operations team, but as of Tuesday, the problem had not been fixed. They noted that the practice could be especially problematic in cases where a user plugged in confidential financial details for a company meeting, for instance.

The findings may shed more light on how technology companies take people’s personal and private information without their knowledge. Last year, users were incensed to learn that Color, a mobile application, could activate the microphones on their phones and record their conversations without their permission. And in December, Carrier IQ, a mobile intelligence company, got hit with several class-action lawsuits after a developer noticed that its tracking software could record a user’s keystrokes — including phone numbers dialed, text messages sent and even encrypted Internet searches— on 140 million smartphones.