On Wednesday LinkedIn rolled out the LinkedIn Intro platform for iOS devices. Almost immediately after the service was launched security concerns began to surface on the web.
By Saturday morning LinkedIn had released a blog post titled, “The Facts about LinkedIn Intro.” In that post the company writes:
“Many things have been said about the product implementation that are not correct or are purely speculative, so this post is intended to clear up these inaccuracies and misperceptions.”
The post claims that the LinkedIn Security team closely examined the core design of Intro to ensure that the best possible implementation of security standards was followed.
Here are some of the actions the LinkedIn Intro team took to secure the platform for its iOS launch:
- We isolated Intro in a separate network segment and implemented a tight security perimeter across trust boundaries.
- We performed hardening of the externally and internally-facing services and reduced exposure to third-party monitoring services and tracking.
- We also had iSEC Partners, a well-respected security consultancy, perform a line-by-line code review of the credential handling and mail parsing/insertion code.
- Our internal team of experienced testers also penetration-tested the final implementation, and we worked closely with the Intro team to make sure identified vulnerabilities were addressed.
- We made sure we have the right monitoring in place to detect any potential attacks, react quickly, and immediately minimize exposure.
- All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
- We worked to help ensure that the impact of the iOS profile is not obtrusive to the member. It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday.
Most software platforms released onto the open market these days have security concerns, LinkedIn Intro is no different than those programs. Here is a video regarding security expert concerns for the new platform: