27

I wanted to install the Linkedin app on my Android phone and I was shocked when it asked for nearly all possible permissions including reading all of my private data and calendar data.

Why does any application like Linkedin which is probably implemented as a simple webview possibly need access to such sensible data? Can I consider this as spyware?

Adam Arold
  • 403
  • 5
  • 11
  • 14
    I get extremely upset when apps request access to incoming phone calls or to my phone contacts. I can think of VERY few apps that require this information. It usually irritates me enough that I do not install them. – MikeS May 22 '13 at 14:14
  • Same stands for me. – Adam Arold May 22 '13 at 14:15
  • Most applications require the extra permission for some "add-ons" not strictly required for the app itself(and often you don't want them too), but I don't think android let you choose a possible installed based on the permission, so it's all-or-nothing. As a developer I'd choose to use the smallest set of permissions strictly required, and eventually write the add-ons as secondary apps. – Bakuriu May 22 '13 at 17:12
  • 1
    One workaround would be to use LinkedIn's web service, rather than an app. You can also patch Android ROMs to allow the use of [PDroid](https://play.google.com/store/apps/details?id=com.privacy.pdroid) which allows finer grained controls of permissions. I wrote up a quick [guide](http://www.stevenmaude.co.uk/2013/05/patching-android-roms-for-pdroid-using.html) on how to do this using Auto-Patcher – Steven Maude Jun 09 '13 at 20:42

3 Answers3

22

@Stolas has already explained that the only way to be sure what an application does is to reverse engineer it and inspect its code, and @RoryAlsop already described why such access permissions are required from the application architectural point of view. But there's one thing that I feel I should add.

I think there's not much to worry about here. Why? LinkedIn is a fairly big player and as such under constant scrutiny of the public eye, like all the big ones are. If they were up to no good and trying to access data you didn't agree to in their TOS, and/or otherwise misuse them, they would have to deal with big problems keeping that under the rug and risk huge loss in their reputation and credibility, possibly even be a subject to legal prosecution and financial loss that would come with it, if it were ever to become public knowledge.

You see, these apps aren't developed by a few tightly controlled developers kept in some basement and only allowed access to daylight once thoroughly brainwashed for any residual disclosing information. I'm being slightly sarcastic here, but I believe that living under constant paranoia is even more damaging to one's mental health than my opinion compressed in a few lines could ever be. Anyway, if LinkedIn (and this goes for any other big player in the field of social networking out there) was misusing your personal information in a way that is not clearly described in end user agreement (or other such documentation) you agreed to upon signing up for their services, and/or installing their software, chances are extremely big you'd be reading about that in the news and LinkedIn wouldn't exist anymore;

  • One of the developers would suffer guilty consciousness and blow a whistle on them to relieve the pressure and hopefully sleep better. Or,
  • an independent researcher would find interesting inner workings of the code he/she just reverse-engineered from a signed install package LinkedIn is publishing. Or,
  • a sleepless networking expert (not to be confused with script kiddies) would find some such indicative network packets being exchanged between his test client that he setup and a LinkedIn server, that the downloaded app was responsible for. Or,
  • an IT security professional will be asked to assess potential threats some company faces with their BYOD policy. Vulnerability assessment will include some of the most common Android device software, and the mentioned LinkedIn Android app will be most likely among the first ones tests will be conducted on.

Regardless who would be the first to discover it, LinkedIn could either be blackmailed and settle it privately (which could still leak eventually), or have to defend themselves in front of the eyes of the public. Both of which would incur cost to the corporation, something they don't appreciate, not in the least bit. And since alternatives to illegally exploiting your personal data are a lot cheaper, that's what they do. They test their code thoroughly for compliance with all kinds of regulations, sign them with certificates that prevent install package tampering, and they're proud to display that to end users too. The rest is then between you (your free will to disclose your personal information to whomever you want), and LinkedIn (the ones that will gladly take it and turn it into profit). This said, it's up to you to decide, how intrusive you'd find such social networking symbiosis, and if you should call it spyware.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • If you are paranoid, it doesn't mean they aren't out to get you. How many networking experts lose their sleep over murky side channels in some goodness-forsaken apps? (Which are NOT open source!) – Deer Hunter May 22 '13 at 14:26
  • @DeerHunter Well yes, true. But why would they hide anything in the code when they can wrap it in legal lingua nobody cares to read and make us agree to it on signup? That's what I was saying, and OP was inquiring about the safety of their apps, not if it's safe to use LinkedIn (or similar). I still think it would be utterly stupid of them to try to acquire data illegally, when there's so many willing to give it to them legally. ;) – TildalWave May 22 '13 at 14:37
  • @DeerHunter - I've added another paragraph to the list of possible ways such threats could be discovered, hope that narrows down the chances it would actually be used on unsuspecting users. Well, in theory at least. Of course, far greater concern should be regarding safety of such similar apps of less known vendors/developers IMO. Exposure increases chances of being discovered, question is, how much of such pressure is put on bottom feeders. And there's tens of thousands of those around. ;) – TildalWave May 22 '13 at 15:28
  • 1
    Keeping in mind the latest surveillance programme `PRISM` and then to read that "_LinkedIn is a fairly big player and as such under constant scrutiny of the public eye, like all the big ones are_" just doesn't fits. How can you be so sure about the intentions of the _big players_ ? – R11G Jun 12 '13 at 06:19
  • @R11G - You fail to see the point I was making. It's not the intentions of the big players that I said are clear or anything, but that there is far greater chance their downloadable software will be tested in this and that way to establish what it's doing. I hardly said it's safe to use LinkedIn, I said it's probably a lot safer to use their software than of some Joe Basement Co. that rare few have a look into. – TildalWave Jun 12 '13 at 08:09
  • They might not do something _illegal_, but LinkedIn in particular is famous for tricking people into sharing their email address books and emailing everyone in it. If LinkedIn did something equally sketchy with their mobile app, it might not harm their reputation much more than it already is. – idupree Nov 15 '13 at 00:38
13

You could only know for sure by reverse engineering (RCE) the source code. But I recall LinkedIn having a calendar app built in, and using Google Calendar system as a backend. For questions about reverse engineering have a look at the RE Stack Exchange

And, well its spyware in the sense that all social networks are spyware.

Community
  • 1
Stolas
  • 333
  • 1
  • 13
  • What does RCE stand for? This is not the same. Facebook is not reading my email nor my private data on my phone. – Adam Arold May 22 '13 at 09:23
  • 2
    RCE is Reverse Code Engineering. I never used nor will use Facebook so what I am saying is just from reading the news and talking to people. But Facebook also collects their users information to make money (Mr Zuckerberg's net worth is no US$ 13.3 billion for being nice to it's users). So it is doing something with the info about it's users, this is what I meant with _And, well its spyware as far as all social networks are spyware._ – Stolas May 22 '13 at 09:33
  • 3
    @AdamArold - I guarantee you that Facebook is accessing your contact list on your phone. – Ramhound May 22 '13 at 12:06
  • 3
    @AdamArold [Here is the Facebook app for Android](https://play.google.com/store/apps/details?id=com.facebook.katana). Click the PERMISSIONS tab and scroll to the bottom. What do you see? – AakashM May 22 '13 at 13:39
  • 2
    Oh my god. Or "What the f*ck" would be more appropriate. – Adam Arold May 22 '13 at 17:47
10

LinkedIn offers specific functionality to link to your contacts list and calendar. These are parts of the application. Without these permissions it wouldn't work.

At least they are up front about saying what the application does, but it would be nice to have the ability to select specific functions and if you didn't want the calendar function just install a version which doesn't require that access.

The way apps are signed would probably mean this would require separate apps to be installed and that would add complexity as well as reducing the value to the supplier.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • What is the functionality? – MCW May 22 '13 at 18:50
  • 1
    @MarkC.Wallace - the functionality being stealing your contact list to post LinkedIn's spam [invitations](http://workplace.stackexchange.com/questions/3183/linkedin-invitations-from-people-i-dont-know). Yuck. – Deer Hunter May 23 '13 at 08:03
  • The app can copy your contacts list to enable automatic importing to LinkedIn. Oh, and they could spam them too :-/ – Rory Alsop May 23 '13 at 10:32