iOS Users: Are your LinkedIn login credentials safe?

iPhone and iPad users may be shocked to learn that despite the security provided by iOS, they may be unwittingly providing their LinkedIn email and password to third parties, ‘phishing’ for their details. As many people use the same email/password combination on a variety of websites and services, a smart attacker would not use that information to hijack your LinkedIn account – but to try using those login details for other websites where they can steal your funds or find personal information which could be used to blackmail you.

Earlier this month LinkedIn finally released its own SDK for iOS, ending necessary reliance on developers of integrated apps not to hijack that information. Until now, iOS apps have either integrated LinkedIn’s Javascript SDK or implemented their own iOS native OAuth 2 interface, both methods spelled out as a threat in OAuth Documentation. When websites integrate using the Javascript SDK you can tell whether your credentials are being kept safe. The SSL connection indicated in most browser bars by a padlock assures you that you’re only sharing your email and password directly to LinkedIn, who then authorize access to your profile data by the website that directed you there.

iOS Security Flaw
On the left, LinkedIn’s new SDK authorisation – on the right a commonly abused pre-existing method

Where LinkedIn integrated iOS apps have used ‘UIWebView’, a modifiable class for embedding web content to call the Javascript SDK, this allows developers both to create their own mock up of LinkedIn’s login page and collect your credentials as a middleman, or to add hidden UITextFields atop LinkedIn’s page and collect them. Where apps use their own native OAuth interface they needn’t bother with the charade; they’re already requiring you to trust them with your login details.

Security conscious iOS users should from this point in time refuse to use these methods, and only trust apps which either open LinkedIn’s iOS app for authentication or open Safari for Javascript authentication at

The tip of the iOS security iceberg

While this article focuses on LinkedIn as a result of their new iOS SDK, it’s merely the tip of the iceberg – OAuth 2 is the most widely used means for an app to connect to your social media accounts, and a quick scan of the app store reveals that a significant proportion are not using the best practices referenced. While Apple’s App Store Review Guidelines suggest apps that include account registration should provide a privacy policy, in practice this is of little comfort.

This is illustrated clearly by two examples turned up by searching the App Store for ‘linkedin’ , one not widely used app designed for LinkedIn contact exchange, Wasme, which requires log in, does not provide its own privacy policy at all. Unusually it shows an address bar above the embedded login page, with a padlock suggesting security – however the address is not modifiable and the padlock no more trustworthy than the app developer. The second example which is far more widely used is Glassdoor, which provides a fairly comprehensive privacy policy which states in no uncertain terms that it shares your personal information as it sees fit…

“We may share personal information we collect with our trusted business partners. We also will share personal information with service providers that perform services on our behalf.”

…while placing the burden of figuring out which personal information it is collecting on the user.

“Depending on how you interact with Glassdoor, the personal information we collect from you may vary. … Because we request this information directly, it will be clear what types of personal information we are collecting.”

While their website uses the appropriate referrals to the social media sources for authentication, the app uses its own interface, which makes it pretty clear they reserve the right to collect and share your credentials for LinkedIn, DropBox, and Google.

Altogether this seems in stark contrast to the supposedly comprehensive iOS security Apple offers from personal data collection and dissemination found where apps that access contacts, email, geolocation or built in Facebook and Twitter permissions explicitly ask your permission on a case-by-case basis, and such a contrast in my experience causes a widespread false sense of security where third party apps are concerned. And this isn’t the first time LinkedIn and other related enterprises have been criticized for their privacy failings.

John O’Mara develops apps for iOS and has a personal interest in it’s security.

John O'Mara is a writer of code and prose from London, UK