Researchers have discovered that LinkedIn’s iPhone and Android apps may be up to no good:
Today’s not a good day to be a LinkedIn user—doubly so if you use LinkedIn’s iPhone or Android app. Researchers have discovered that the app scrapes users’ calendar items and sends the data back up to its servers, even when those calendar items were created outside of the LinkedIn app. The scraped data includes participant lists, subjects of entries, times of meetings, and any attached meeting notes (such as dial-in details and passcodes).
The LinkedIn app manages to gain access to your calendar items because it has a feature that allows you to view your calendar from within the app itself. According to security researchers Yair Amit and Adi Sharabani, the app then transmits this information to LinkedIn’s servers without any clear indication to the user that this is happening—a throwback to the Path controversy that revealed the social networking app (among many others) had been transmitting users’ contact lists to a remote server without explicit user consent.
LinkedIn says this is an opt-in feature, but hasn’t really explained why this data needs to be passed to its servers.
This brings LinkedIn into the shadowy land of Path, and also Carrier IQ, the mobile app company that was tracking people’s keystrokes. In the meantime, be aware that all the data in your calendar entries — phone numbers, passcodes for conference calls, whatever — may be scraped and uploaded if you are using the LinkedIn app.