LinkedIn responds, says new Intro app is (mostly) secure, won’t store your email

Like the idea of being able to spot real deals from spam emails but hesitant to risk your security? LinkedIn is hoping to ease your fears. The social networking site has responded to critics who questioned the wisdom of allowing all your messages to pass through LinkedIn’s email scanning service by saying it “built the most secure implementation we believed possible”.

The social network sites new invite-only Intro extension, which displays added information about the sender of an email from their LinkedIn profile inside the Mail app on iPhones, drew concern from security analysts shortly after launch due to the fact that it involves sending your email through a third-party server. For example, security firm Bishop Fox warned that LinkedIn could be storing and scanning your emails, circumnavigating security barriers and making it easier to become the victim of a phishing attack. It also pointed out that LinkedIn doesn’t have a stellar track record when it comes to security — it suffered a major hack that saw more than 6.5-million user passwords exposed back in June last year.

In a response to the concerns, LinkedIn’s senior manager of information security, Cory Scott, explained some of the pre-testing the team went through to identify possible vulnerabilities before launching the app. “When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible,” he said. “We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.” These included having an independent security firm inspect the credential handling and mail parsing/insertion code for the app line-by-line, and developing a way to quickly alert the team about any potential security breaches and to minimise the impact of a hack.

While Scott didn’t comment on the previous hack or deny that allowing a third party access to your email could be a problem for those sending sensitive messages, he denied that LinkedIn will store emails. “When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form,” he said. “And once the user has retrieved the mail, the encrypted content is deleted from our systems.”

He also directly refuted the assertion by Bishop Fox that Intro could change your device’s security profile, explaining that the app doesn’t work by “pushing a security profile to your device” but rather by adding an email account that communicates with Intro. Overall, the response seems to attempt to explain how the LinkedIn team has prepared for and worked hard to prevent a potential breach. Whether that will be enough in the eyes of its users remains to be seen.