LinkedIn announced on Friday it was shuttering its four-month-old Intro service which stirred up a privacy meltdown shortly after its release in October.
Intro was an integrated service for iOS which sat as a proxy between the built-in iOS mail client and the user’s email provider. Intro would intercept all IMAP and SMTP messages and insert an Intro bar into email messages; the bar acts as a shortcut to the sender’s LinkedIn profile and provides options for connecting with that person over the LinkedIn network.
On Friday, LinkedIn announced it will shut down Intro on March 7, though it said it is going to continue to develop services to bring LinkedIn to a user’s inbox. The company also announced it was shutting down Slidecast, its service that enables users to upload and view one another’s presentations, as well as ending support for the LinkedIn app on iOS devices before version 6.
Intro immediately raised eyebrows among security and privacy experts who were curious about its native behaviors and ability to circumvent the protections built into the native iOS mail client. In particular, experts cited concerns over corporate email policy violations, broken cryptographic signatures and the creation of a central collection point for government surveillance efforts.
Analysts at security consultancy Bishop Fox were the most vocal, initially saying that Intro pushed a security profile to the iOS device alongside the Intro app, raising red flags that a new security profile could allow an outsider to wipe the device, modify configurations, install apps and more.
Bishop Fox said LinkedIn’s Intro bar changed the content and structure of messages and feared that could impact the security of a message.
“Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end,” Vinnie Liu and Carl Livitt said. “This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason—extra data being appended to your messages.”
LinkedIn quickly refuted those claims, emphasizing that Intro does not alter an iPhone or iPad’s security profile, instead Intro was isolated onto a separate network segment at LinkedIn. Services were hardened reducing exposure to third-party monitoring and tracking, and that every line of credential hardening and mail parsing/insertion code was reviewed by security consultancy iSEC Partners and pen-tested by LinkedIn’s internal analysts, said senior manager for information security Cory Scott.
“We worked to help ensure that the impact of the iOS profile is not obtrusive to the member,” Scott said in October. “It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro Web endpoint through a Web shortcut on the device.”