
LinkedIn Intro: Doing the Impossible on iOS - martinkl
http://engineering.linkedin.com/mobile/linkedin-intro-doing-impossible-ios
======
zaroth
I don't think I've ever gagged quite like that while reading a technical
article describing a "neat hack".

At first I'm thinking, oh, I wonder how they convinced Apple to let them use
some private APIs, and then... curiosity turns to revulsion as soon as I saw
that proxy diagram. Good god... LinkedIn MITM IMAP. That is truly terrifying.

How would you even go about _installing_ that on the user's phone? Oh, that's
in there too... they ship a 'configuration profile' which adds a new email
account, so your password is leaving the device in cleartext and being used to
create the profile server-side which is then shipped back to the phone and
installed, how exactly?

This just gets worse and worse if I understand correctly... I'm surprised that
configuration profiles can be shipped to an arbitrary device from a third
party this way without the user manually installing LinkedIn's certificate as
trusted. In other words, it should be a lot harder to "Accept" these profiles
outside an enterprise setting, because it sounds exploitable. What else can
you configure "so easily" I wonder?

Then you get into how they are hacking CSS and iframes into the email body, to
substitute for Javascript, and actually create a workable user interface. Now
this is fascinating, impressive, and deserves further study... Without fully
understanding exactly what they are doing, however, it sounds highly abusive
of the Mail app's rendering capabilities, and points to exploitable paths
within the Mail app that probably need to be tightened up by Apple. If
LinkedIn can make an email "act" like that without any opt-in on my part, how
would Mallory use the same "feature" in their latest SPAM campaign?

<s>Thanks LinkedIn... really, I'm impressed. When exactly did Walter Bishop
start working for you?</s>

P.S. I look forward to following your pending class-action lawsuit for
violation of US federal wiretapping laws. Cheers!

~~~
ivix
Nerd outrage hyperbole much? This is an OPT IN service. You know, only for
people who WANT to use it? If it causes you this degree of apoplexy, you are
in luck: you don't have to use it.

~~~
iuguy
This service shouldn't exist. It breaks the very concept of email security.
They're marketing it as though it's safe. Want hyperbole? Imagine Bayer
marketing heroin as safe because you know, it's opt-in.

~~~
ryguytilidie
Want hyperbole? Compare an opt in social network to heroin.

~~~
jlgreco
Why the hell not? Heroin from Bayer would not have the quality control issues
Heroin typically has.

It only becomes problematic when you consider that the user is getting
themselves into a situation that they do not fully understand and potentially
cannot easily back themselves out of.

With drugs that have a high potential to cause harm, we typically _force_ the
consumer to consult a professional before allowing them to proceed. Tech is
still in the era of patent medicines.

~~~
iuguy
I specifically used the example of Heroin as Bayer marketed it as a non-
addictive alternative to morphine, proclaiming it safe.

------
nostromo
This is a truly awesome hack. Good job!

The value for LinkedIn to vacuum up my email is immense! They'll know everyone
I email and the content of the emails as well. They'll know where I shop and
what I purchase. If I send a private email to a friend who has this installed,
I've now unknowingly bcc'ed LinkedIn. Not only that, but they know this for
the entire history of my email account! The person I stopped emailing 7 years
ago... LinkedIn has access to that as well.

But in this case I don't think the value prop for the user is big enough to
make me overcome this large of an ask.

I appreciate LinkedIn addressing this in their Privacy Pledge, but so long as
they retain the right to change it at any time, I'm too uncomfortable to
install this. But, I'm still in awe of the creative work-around. :)

~~~
dclowd9901
Maybe we should be discussing Apple's closed-ass OS instead of harping on the
only workaround that could possibly exist. Such "creative" measures wouldn't
need to be taken if it was simple for a user to augment their email app.

~~~
arb99
You can't really expect a mobile email client to allow third parties to add
their own extensions to it.

If they were that fussed they could have tried to make a clone of a email
client and integrate their own features. If it was better than the default
client, people would use it (I use Sparrow on my iPhone for email, not touched
the default Mail app for years)

~~~
dclowd9901
You know how hard it is to get people to migrate from something as ingrained
as an email app? Even a great client will suffer from the migration pain.

And to respond to criticisms of "plugin dev difficulty," that's bs. Browser
clients have a world more complication when it comes to supporting a plugin
environment, and they make it work just fine.

------
tptacek
I don't care who the company is, or how trustworthy you think they are: avoid
giving third parties credentials to your inbox.

~~~
slg
Except the third party that actually is your inbox?

~~~
bentcorner
And the third party that wrote the mail client you are using?

Not to say that this isn't a bad idea though. It would have been an easier
sell if you could do the IMAP proxying on the local device somehow.

~~~
baddox
And the third party that wrote your operating system's networking stack? And
your ISP?

~~~
pfarrell
And Ken Thompson?

[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

------
poxrud
This is essentially a mitm attack. I am amazed that a company the size of
LinkedIn would think that this is in any way appropriate. These are the tricks
of spammers and cyber criminals. This is what LinkedIn has become.

Will customers be explicitly told that all of their emails will be going
through and stored on LinkedIn servers? I doubt it. I do envision a dialog box
along the lines of "Click Here to make your experience better". Sadly people
will click without realizing the implications.

~~~
MPetitt
But you do have to take into account the context of what they are doing. Yes
on a technical scale it is similar to a mitm attack, and yes in theory they do
have access to your email content, but I don't think that by using an
interesting trick to add a useful feature should put them in the same category
as sleazy hackers secretly trying to steal your credit cards and such.

~~~
jonhohle
Does it matter? They are purposefully inserting themselves into a stream of
information which they largely have no business being a party to.

If (when?) this proxy service is compromised are they willing to be
accountable for any information which leaks? I can't imagine wanting to even
take on this risk (maybe I'm too conservative).

Edit: I just want to add - yes, it's interesting. Yes, it's sleazy.

~~~
bluetshirt
> They are purposefully inserting themselves into a stream of information

to implement a feature that's impossible to do any other way. They have a
justification for doing this.

------
aeberbach
Misleading title. Nobody did the impossible on iOS, just did clever things
within the available frameworks. Well done author, it works. But did you ask
yourself "should I really do this?"

What I hope is going to prove truly impossible is doing anything like this
without requiring the user to explicitly accept the configuration profile.
Even so I expect they will trick many into allowing "enhancement" of their
email.

LinkedIn has a history of abusing email. From the early days* where they would
email all of the contacts on your machine if you didn't read carefully enough
to today where you can click unsubscribe many, many times and still get
"important updates". It's a wretched hive of scum and recruiters, and they
will never get between me and my email.

*spoke too soon! looks like they still do it: [http://community.linkedin.com/questions/10106/i-want-linkedi...](http://community.linkedin.com/questions/10106/i-want-linkedin-to-stop-trying-to-access-my-email.html)

~~~
j_s
A brief history of LinkedIn's problems as seen here on HN:

• LinkedIn: The Creepiest Social Network (May 9; 326 points)
[https://news.ycombinator.com/item?id=5680680](https://news.ycombinator.com/item?id=5680680)

• Why I Just Closed My LinkedIn Account (Jun 18; 137 points)
[https://news.ycombinator.com/item?id=5900120](https://news.ycombinator.com/item?id=5900120)

• LinkedIn sued by users who say it hacked their e-mail accounts (Sep 22; 204
points)
[https://news.ycombinator.com/item?id=6425444](https://news.ycombinator.com/item?id=6425444)

• Today I Deleted My LinkedIn Account; You Probably Should Too (Sep 24; 143
points)
[https://news.ycombinator.com/item?id=6433828](https://news.ycombinator.com/item?id=6433828)

------
j_s
How (and Why) You Should Block LinkedIn Access to your Exchange Server
Organization

[http://exchangeserverpro.com/blocking-linkedin-access-to-
you...](http://exchangeserverpro.com/blocking-linkedin-access-to-your-
exchange-server-organization/)

    
    
      > I ran some tests with two brand new mailboxes, and it seems that LinkedIn 
      > accesses both the Contacts and the Sent Items.
    

technical details: [http://www.adamfowlerit.com/2013/06/02/linkedin-
securityinfo...](http://www.adamfowlerit.com/2013/06/02/linkedin-
securityinformation-risks-with-exchange/)

~~~
EvanAnderson
If LinkedIn changes their User-Agent string then they're right back in again.

~~~
j_s
Fortunately the technical details of how to determine the user agent to block
are included, along with a reference to LinkedIn's own support explaining that
'LinkedInEWS' is the value to add to the blocklist!

------
carbocation
Technologically this is straightforward: it uses a proxy server that sits in
between you and your actual mailserver.

I think the privacy concerns of having your mail (potentially) available over
yet another server in exchange for modest convenience makes it unlikely that I
would use this, but I'm sure many will find the trade-off acceptable and
desirable.

~~~
jwr
There are lots of concerns:

* your local mail client might get different E-mail content every time mail is downloaded, which is not the intent of IMAP,

* LinkedIn (hence, the NSA) gets full access to your E-mail,

* once people get hooked it's easy to transition to inserting ads, or "more helpful LinkedIn content",

I find all this rather disturbing and would never use this service.

~~~
r00fus
> * LinkedIn (hence, the NSA) gets full access to your E-mail,

What if I believe that Google (hence the NSA) already has access to my Gmail?
What's the cost to my privacy if it's already lost?

My major concern is that if I provide Linkedin my credentials, I now have
doubled my attack surface for intrusion by non-governmental actors.

~~~
deveac
_> What if I believe that Google (hence the NSA) already has access to my
Gmail? What's the cost to my privacy if it's already lost?_

Can I have your gmail and password? If not, why not?

~~~
wikyd
I believe they use OAuth for Gmail and Google Apps, much like Mailbox.

------
mpclark
Surely corporate IT departments are going to have a collective heart attack as
employees start handing all their email to a third party?

~~~
nwh
Additional madness when the services inevitably closes and tens of thousands
of corporate tickets are files about non-working email clients.

~~~
amirmc
Why would the service close? It's supported by LinkedIn and AFAIK they're not
in the habit of shutting things down. This almost feels like a no-brainer for
them, especially given the move to mobile devices and locked-down apps.

Edit: Have I missed the point? I'm sure LinkedIn is a little more cautious
about such changes than your average newly-founded startup. This product gives
them access to people _emails_ which they can probably glean a lot of info
from. They already try to get access into email accounts (username + password)
via the LinkedIn webapp so in a way this is just extending that to mobile. The
only reason I can imagine them shutting it down is if no-one uses it (in which
case, no one will complain).

~~~
kstop
Think of it like a value proposition. Is the (dubious IMO) convenience of
having Linkedin profiles in your email worth the cost of Linkedin having the
content of your email? Even if they pinky-swear to never read it, don't forget
that this proxy email server would be, overnight, one of the most valuable
corporate espionage targets in the world.

(If yes, you should probably ditch reading email and do something more
productive with your time, like picking up cans.)

~~~
amirmc
That's not the point I was responding to. It was the claim that this service
will inevitably close that I was disagreeing with.

~~~
kstop
Apologies, I was so gobsmacked by the security implications that I found it
hard to focus on anything else!

------
confluence
Holy fucking shit Batman! Assuming I read this correctly LinkedIn will now
have access to all of your emails, your email credentials, and will now have
the ability to both spoof your email, and MITM all incoming mail (banking
etc). I was actually impressed at some of the little hacks they found, until
they dropped this on me halfway through the blog. My jaw hit the ground.

This is probably the most blatant disregard for privacy and security for the
smallest possible benefit that I have ever seen. Well, next to giving LinkedIn
the password to your email so that they can spam your friends and hack your
account.

Everyone needs to stop using this piece of shit service. They're incompetent
and malicious. LinkedIn is the Zynga of HR. I'm gonna go buy some puts.

Disgusting.

~~~
anaphor
I completely agree. I'm absolutely disgusted by this.

------
gabrielr
This makes me wonder "What if two programs did this?" [1]

[1]:
[http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/42629...](http://blogs.msdn.com/b/oldnewthing/archive/2005/06/07/426294.aspx)

~~~
k3n
Great point. I love that blog.

------
mcphilip
IMO, LinkedIn has a history of enough bad business practices that it should be
shunned like a pariah and treated with complete suspicion that they may have
ulterior motives in designing this MITM app.

I have never joined LinkedIn and have never been interested in any position
that requires an easily gamed LinkedIn profile instead of meatspace
references.

------
staunch
Not only does it obliterate users' security but it introduces a potentially
unreliable point of failure. Sometimes the hack is worse than the problem it
solves. I hope they're being extremely upfront with users about how this
works, not that most users will really understand the implications...

~~~
alexdevkar
Good point re point of failure. If LinkedIn doesn't put a lot of resources
into the proxy servers, mail delivery could be very slow or fail completely.

I"m still impressed with the creativity from a technical standpoint.

~~~
dingaling
I'm not overly impressed by the architecture; it's basically a de luxe version
of the IMAP push-proxies that were common in the early 2000s, such as Nokia
Mail ( I think it was called ).

Phone <\------ Proxy <\----- IMAP hosts

Same problem; all your lovely lovely communications flowing through the Proxy.
And your tasty credentials, too.

LinkedIn have taken the old pattern and injected some data at the Proxy point,
enriched from their databases.

------
mlinsey
I don't understand why trusting LI with all your email is worse than trusting
Google with all your email.

Sure, if you do it for your corporate email, you may be violating the rules of
your employer, but that's between you and your employer, and not enough reason
to keep others from using an amazingly useful service for their own personal
email.

Lost in all this discussion is just how awesome Rapportive is - the desktop
gmail version has concretely and significantly changed my life for the better,
and that's not hyperbole. Being able to research people without leaving my
inbox has saved hours of time in my life, made my communications with those
people more effective, and prevented me from making at least a couple serious
errors.

All that is worth the added risk, especially for my personal email. Curious:
does everyone in this thread have equal outrage for those widgets that log
into your email clients so that you can invite your friends?

~~~
SideburnsOfDoom
> I don't understand why trusting LI with all your email is worse than
> trusting Google with all your email.

This is like trusting LI _and_ Google with all your email. trusting any 2
parties with your email is less secure than trusting 1 party with it. This
increases when only 1 of them is in the business of providing email. What is
the other party's interest, and does this conflict with your trust?

------
x0054
So you give up your email credentials to LinkedIn and in exchange you get a
little widget that tells you the name of the person who is emailing you, the
company they work for, their position in the company, and some contact
information? Isn't that's what the signature line is for? Seriously, don't
people already setup their signature line to include all that information.

It's a cool hack, however.

------
benhamner
The privacy outrage around this is nonsensical.

Over 500 million people trust Google with complete and indefinite access to
their email. The leap from trusting no external email providers to trusting
Gmail is much greater than this incremental step of trusting LinkedIn as well.
The risk is similar to trusting an established company to automatically backup
your emails, and smaller than trusting startups like Greplin (which rebranded
and got acquired) to safeguard a dump of all your emails.

This is not to say the privacy and uptime risks are non-existent: the attack
surface area is marginally increased and there is another system that could
break.

Claiming LinkedIn's doing a "MITM attack on your email" is on the same level
as saying "Google is Big Brother." Both statements capture an element of
reality, but with an extremely alarmist bent.

~~~
austinheap
With your claim, why not make your e-mail public? If you're not worried about
Google -- who is already in bed with the NSA -- and you're not worried about
LinkedIn -- who is proposing to proxy _ALL_ your e-mails -- then just setup a
script to auto-dump every single e-mail you get to GitHub.

Win Win! You get to act like privacy isn't a real threat, and you validate
your point!

------
miguelrochefort
To HN commenters:

If you don't trust LinkedIn, fine. Don't use it.

But please, don't assume that LinkedIn is universally not trusted, the same
way you assume that Microsoft is universally hated.

This is a neat feature, and I'm sure that many people trust LinkedIn enough to
think that the trade-off is worth it. Would you prefer to not have the choice
to have access to this feature, and prevent others from having it too?

I don't see this kind of reaction when 99% of other services ask access to a
third-party API. Why is this so different? Is it because they have access to
emails? What makes email SO MUCH more important than any other data to be in a
category of their own? I don't think you can draw a line, and it's pure
subjectivity.

Surely, the service itself is not a problem. Google would do the same thing,
and you would all think it's the best thing since sliced bread? Why? Because
most people already trust Google with their emails (and everything else), and
accept that they know everything about them.

So please, don't criticize the solution, don't blame the hack (unless you can
suggest a better way to do it). The only good reason not to use it is for lack
of trust for LinkedIn, and nothing else.

I've had enough of your drama-seeking behaviors, and I don't think I'm the
only one. Grow up.

~~~
afiler
"Would you prefer to not have the choice to have access to this feature, and
prevent others from having it too?"

Yes, I would prefer that. LinkedIn has not shown itself to be a particularly
good or careful actor in the past, and now, even if I don't opt in to this, my
email to people using this feature runs through LinkedIn servers. There are
always third parties between me and the person I'm emailing, but as the number
increases, the likelihood of compromise or failure of delivery increases.

~~~
miguelrochefort
Common socialist thinking. People on top know better, therefore they should
limit the freedom of the plebs.

Consider yourself lucky that you trust Google. Otherwise, imagine how risky it
would be for you to email most people!

Paranoia is a hell of a disease. Probably the mental disorder of this era.
Just look at all the drama that surrounds the NSA and "privacy".

In an alternative reality, people would probably pay for companies to spread
their information publicly. And you know what? I'm confident that this reality
is our future.

Learn to fight for the right things. Pro-tip: it's not privacy.

------
uptown
Apart from actually giving them the power to slip-stream their content into
your messages, how is this different (access-wise) to what people have granted
to the email-management app Mailbox? Seems like in both cases, you're handing
control of your inbox content over to an additional 3rd party unnecessarily.

------
0x0
So what happens if you reply to a mail like this? Does the quoted part contain
all that linkedin fluff?

~~~
cag_ii
According to "Pledge of Privacy"[1], no. It seems they will also modify your
outgoing mail to remove the profile info.

So in addition to reading your incoming mail they can also modify your
outgoing mail as well.

Suppose that user B gets mail from A, then forwards it to C. I'd see why this
could be valuable info. for a company like this (and also has a high potential
for abuse).

[1.
[https://intro.linkedin.com/micro/privacy](https://intro.linkedin.com/micro/privacy)
]

~~~
0x0
Wow, it even says right there that if you forward or reply via a different
account, the full content remains in the message (of course!). I'd imagine the
same thing would happen if you moved the message from a folder in one imap
account to a folder in another imap account. Nice.

~~~
rahulvohra
There are good ways to remove 95%+ of the content even if you forward/reply
from a different account. We'll talk about this in an upcoming post.

~~~
ajays
95% != 100%.

So there's a nontrivial chance that if I'm connected to someone in LinkedIn
whose profile is "private", then if I forward a message from him (containing
this LinkedIn flair) to some third party (who is not connected to him), then I
could expose his profile details to the third party? That's a privacy lawsuit
just waiting to happen.

~~~
corin_
Every time I get an email from LinkedIn with updates on private profiles of
people I am connected to I could forward that email to anyone, is that a
privacy lawsuit waiting to happen too?

------
cag_ii
Wouldn't this essentially allow them access to read/analyze/archive all of
your email for any account you set up?

~~~
nwh
Of course. They can send as you too, which given their spammy record is quite
a huge issue. They will also be storing your IMAP password in plaintext.

~~~
timdorr
Since they are proxying the request, they don't actually have to store the
password at all.

~~~
philsnow
It took me a moment to understand what you're saying, which (correct me if I'm
wrong) is that they could just forward the credentials along to the imap
server they're proxying for, and not store those credentials themselves.

------
jamra
Proxy to return a header in your email. CSS to render the content upon click.
IFrame to update content so it doesn't get cached.

Cute web hacks. I don't understand the problem with simply using their mobile
app if you were really looking for work.

It sounds like an unnecessary feature for people who are looking and an
annoyance to people who are not. That seems to be the problem of Linked In.
They harass those who are working with vague and misplaced job requests in an
attempt to expand their reach.

I also hate iFrames. Cool trick though.

~~~
bjacobso
I don't think it is designed for people "looking for work". It seems to be
built for business development. For example, an email like: "Hey, we met at a
conference last month, just wanted to follow up..." \- now you can see who
they are, where they work, a profile picture to jog your memory and quickly
connect - all from your email client. Very similar to what Rapportive did for
Gmail.

~~~
jamra
That's actually a good point. I never would think to use Linked in as a
business card. I usually would just write, "Hey it's me from that place we
met."

------
ig1
This thread is a great example of filter-bubble thinking.

There is a trade-off between security and features here, and while for some
people it'll be worth it for others it won't.

The majority of posters here are likely developers/technical people for who
the features aren't that important and for who security is a much higher
priority (because they're thinking about it from a personal email perspective
rather than a professional email perspective).

For people working in bizdev, sales, recruitment, etc. their equation is
completely different. This delivers them high-value (being able to close more
deals faster) with a relatively lower security trade-off.

Their professional email account is likely already hooked into their CRM,
email analytics, backup service, audit and archiving services, address book
services, etc. Their PA and corporate IT likely has access to their email as
well. Adding Linkedin is just one more service from a company they already
trust with highly confidential information (leads, Linkedin inbox mails, etc.)

(incidentally I'm guessing a lot of HN users probably have half a dozen chrome
extensions for SEO, screen grabbing, debugging, etc. from unverified sources
which have access to far more information than just your email credentials)

~~~
mnicole
How technical or not you are has nothing to do with how much you care about
the security of your email. LI is just hoping that they'll gain trust by being
open about their process because they're counting on that "transparency" to
help people feel comfortable about installing it.

------
bluedino
So if you sign up for enhanced email with LinkedIn, _all your incoming email
goes through their servers_?

~~~
nwh
That, and they also get access to every email you've ever sent, and the
ability to impersonate you in their email spam (though they do that anyway).

------
adamb0mb1
This is cool. I'm a little concerned that what they've done expose some
security holes in the iPhone mail client. And, all of this work will be for
naught when Apples fixes those.

(Specifically, iframes in emails have been stripped from most modern email
clients for years)

~~~
ceejayoz
Yeah, I'm pretty shocked that iframes work at all.

Spammers could very, very easily abuse this. Send a valid-looking e-mail, then
swap out the iframe content with something spammy once they've all been
delivered.

------
baddox
> A little-known fact about CSS on Mobile Safari: in certain circumstances,
> tapping a link once simulates a :hover state on that link, and tapping it
> twice has the effect of a click.

I have noticed that on websites that clearly don't intend that behavior, and
it's quite annoying. Does anyone have any details about the exact
circumstances required for this phenomenon?

~~~
snowwrestler
This is Apple trying (and IMO succeeding admirably) to handle hover navigation
in a touch environment. The alternative is to be totally accurate and never
fire a hover or mouse event--thereby breaking many site navs completely.

Hover navs are a usability problem and should never have been built in the
first place. Computer OS and application developers figured that out years ago
but for some reason web developers never got the memo.

------
hipaulshi
Despite the privacy concern everyone is warring about, it is a beautiful
integration. Technology is supposed to make life easier, not harder. Since
Apple didn't open the door, someone else will ended up doing it. I am sure an
open source solution with own proxy + LinkedIn api will work as well. That
should take away the privacy concern.

------
umsm
Is this a MITM attack wrapped as an App?

~~~
joezydeco
Not just MITM, MITM + DDOS!

Now you have 220,000,000 LinkedIn users all running their email traffic
through LinkedIn's proxy. I'm sure they have the bandwidth and CPU to handle
that.

~~~
corin_
By that logic isn't every popular website/service in the world a "DDOS
problem" because it attracts lots of traffic?

~~~
joezydeco
We're talking about mail. There's an equal distribution of users across many
IMAP servers, most run by companies like Google and Microsoft that can handle
the flow. Now we're redirecting all inbound mail traffic through exactly one
host.

------
thefreeman
I see a lot of people (understandably) getting upset about the MITM aspect of
this. But almost as surprising to me was the fact that you can load an iframe
in an email with apparently no warning or notification to the user. This seems
like its asking for exploitation, even without the ability to run JavaScript.

------
danial
Even if we disregard the privacy concerns and trust the third party with our
inbox, I can't help imagining the consequences of a quiet compromise of their
proxy service.

------
millerm
For all those calling this a "hack", it is not. It is simply a "man in the
middle" attack. It is wrong. It is a total violation of trust. It is gross.

~~~
cstrat
I would only say that it is a violation of trust if they somehow installed the
certificate on your phone when installing the linkedIn app...

If a user knowingly installs this, with the understanding that linkedin is
essentially a proxy for their entire email ecosystem - then they are knowingly
trusting linkedin.

To be honest, I can see this being used by sales reps. They are often
interested in connecting to people and understanding peoples backgrounds. They
also move quite freely between organisations, and don't have a religious tie
to their email and/or privacy (in the sense of their corporate email privacy).

~~~
austinheap
1) Your average user has no idea what an iOS cert is doing.

2) Your average IT department in any publicly traded company would _NEVER_ let
this fly.

3) Any general council would shat all over this. No one likes fighting with
lawyers, and this is a battle I'd never put on my plate.

It's odd to assume generic users understands IMAP or what a proxy is. Remember
how Apple makes products for dumb people? Yeah. They ran a campaign on that.

On top of all of this, they have a "if you're a Google Apps admin" section
where the only way to block it is to disable _ALL_ OAuth applications.

No self-respecting CTO/CIO would let this occur in an organization they hope
to responsibly grow.

~~~
cstrat
You are correct. I guess it all comes down to how transparent Linkedin are
with the users installing this stuff. Will they disclose to the user exactly
how this works like in their blog post - or will they obfuscate the whole
activity and represent something else to the user.

------
pisarzp
I'd be really surprised if Apple will let them use all of these hacks for
long... Still great way to get full access to all email from many users.

~~~
baddox
Which parts would Apple have an issue with? The proxy server is the only part
I can think of. Using images, CSS, and iframes in Mail is presumably a very
deliberate feature.

~~~
notahacker
Apple has blocked apps for _a lot_ less than providing a feature that
intercepts users' email and email password to circumvent Apple's own
sandboxing and inject content into their mailbox...

~~~
davidkclark
What could they do about it? Not allow you to create a mail account that
points to linkedin.com as the server?

~~~
_garrett
Apple could yank the certificate that LinkedIn is using for configuration
profiles, which would make installation significantly more difficult for the
average user.

~~~
austinheap
Apple, to my knowledge, has never revoked a single cert for config profiles
since they're rarely used outside of the mobile dev market.

Any examples of them doing what you have proposed?

------
meshko
I am speechless. This is like the Facebook Android "hack" of the VM to support
their crappy app wanting to use lots of classes, only this one is less
offensive technically and more offensive from the security point of view. WTF.

------
Demiurge
"an IMAP client may assume that the message will never change"

I burst out in laughter at that point. Yeah, that silly presumptuous email
client assuming an email is some kind of text message that doesn't change
every time you read it!

------
amvp
I think it's a fairly well implemented hack. One question: does the iPhone
mail client load the contents of iframes by default? Don't these clients
typically not load remote content like images?

------
revolly
I believe this is somewhat a defensive tactics. Let's write a sugar-flavored
article about how neat their hack is before someone said "wait a minute!
WTF?!".

To all those who consider this a cool hack - it's not. It's ugly as hell.
Sometimes you need to do this kind of shit to get the job done, it's true, but
you know this is kind of thing that you look at after couple of month and
think "Oh God, I should get a another job. They shouldn't force me to create
THIS. Oh God, I feel so miserable.".

------
rarw
A privacy pledge, how cute! The problem with stuff like this is not knowing
the third, fouth, and fifth party uses. Granted most user's don't read these
disclosure and even more don't have the technical aspects of how this works.
But even if you're ok with one big evil company have access to your inbox,
allowing two just seems crazy. What happens when LinkedIn think of a cool way
to use your emails from five years ago? By cool I of course mean horrifying.

------
joshstrange
This is a really cool hack but I would never hand over my email creds to
someone like LinkedIn after their history with emails. They might decide one
day to "help" you by inviting everyone you have emailed or has emailed you or
they could start added a "Connect With Josh" link to the bottom of my outgoing
emails that links to my LinkedIn.

Again, VERY cool how they did it but it requires quite a bit trust in a
company that I don't find very trustworthy.

------
wslh
_When we first built Rapportive for Gmail, people thought that we were crazy —
writing a browser extension that modified the Gmail page on the fly,
effectively writing an application inside someone else’s application! But it
turned out to be a great success, and many others have since followed our
footsteps and written browser extensions for Gmail._

The author is being a bit arrogant, there are more complex stuff that
modifying gmail on the fly (remember greasemonkey?).

------
twanlass
I'm with everyone else - give LinkedIn access to the contents of my email? No
thanks.

------
sgrove
Wow, super clever guys. It looks really compelling as well. We had been
wondering what rapportive was up to, and we're all very impressed.

Well done!

------
codezero
Also from their FAQ:

"For technical reasons, you can't remove the Intro app icon directly from the
iPhone home screen."
[https://intro.linkedin.com/micro/faq](https://intro.linkedin.com/micro/faq)

This is insane. Not only does the whole setup hijack your mail, it is
implemented in a way that makes it very hard for users to remove it.

~~~
cJ0th
It is horrible but there is little you can do to stop this trend: Most online
services do not want that users can undo decisions and the vast majority will
be okay with that. Ever wanted to correct a post on facebook?

------
gfodor
I've been talking to a number of startups whose products hinge on access to a
user's email inbox. Now here is LinkedIn doing this too. This trend is kind of
disturbing to me, I can't really imagine a future where most of the services I
use require access to all of my personal e-mail. It's quite scary.

~~~
rhizome
LinkedIn is a public company whose product is actually very simple and whose
maintenance and improvement does not really require the number of employees
they have. Initiatives like this spawn from boredom in that kind of
environment, because the product slack goes all the way up the chain.

The Iron Law[1] says that the programmers are going to be bored, the product
managers and creatives with input will approve and shepherd the product out of
boredom, and the management who launches it will do so out of boredom, all in
their own interests.

1\.
[http://en.wikipedia.org/wiki/Iron_law_of_oligarchy](http://en.wikipedia.org/wiki/Iron_law_of_oligarchy)

~~~
meshko
Um that part about LinkedIn's product being simple... what??

~~~
rhizome
Yes. Users with friends, an activity feed, and job classifieds are all solved
problems that many underemployed web developers could throw a prototype
together in weeks or a few months. Tack on that pointless skills voting junk
and webboards as desired. Did I miss anything?

The fact that they have stockholders means they always have to _do something_
: Google and driverless cars, Musk going to Mars, Facebook going phone...this
IMAP hijacking is LinkedIn's current _something_ that they have to come up
with to have a story to tell investors so that they don't think LinkedIn is
"stagnating."

~~~
meshko
Building _anything_ on that scale is not trivial.

------
xsace
Not only they can read the emails, but they could even change their content or
create some false one as well. Good fun.

------
vmarsy
Does this mean that for a simple email : _See you in 5 minutes_ or _Let 's go
to lunch_ , ... it would actually download a full Linkedin profile with it ?
(Hidden with the CSS, but still downloaded). If so, it seems to be wasteful.

All the privacy issues it raises are already discussed.

------
EvanAnderson
I'd be all for this if the proxy were running on the device instead of
LinkedIn's servers.

~~~
bosky101
neat idea. or a proxy on your network.

------
tlrobinson
I often wish there was a good way to do email "apps" like this without giving
away the keys to the castle.

I'm just not comfortable giving my email credentials out when access to my
email is effectively a skeleton key for the rest of my accounts via password
resets.

------
Hovertruck
As right as everyone is about how insecure this is, it's a fun exercise to
imagine how different the public response to this would be if it were one
person's hack project using self-hosted proxy. The hacks employed here are
really cool.

------
bhburke
Retitle this post as "Major security flaws in iOS" and you've done something
brilliant. Intro is malware, plain and simple, but this post has exposed some
serious holes in Apple's security which will hopefully be fixed ASAP

------
gawi
It's wrong wrong wrong on so many levels. It's more unthinkable than
impossible.

------
junto
I didn't realise Rappotive had been bought by LinedIn. Time to delete it from
Gmail.

~~~
junto
It wasn't immediately obvious how to remove it. For anyone else, the
instructions are here:

[http://rapportive.com/help#installation](http://rapportive.com/help#installation)

Basically, I expected it to be a Gmail plugin, but it was a browser extension.

------
georgemcbay
Privacy issues aside, have we really set the bar this low on what is or isn't
technically "impossible"? Because if so, that's terribly sad and as an
industry we should all be ashamed.

------
swah
This should be extractable by "algorithms" these days: "Our key insight was
this: we cannot extend the mail client, but we can add information to the
messages themselves"

------
616c
What a disgusting group of bottom-feeders LinkedIn has become. Question is: if
I install this unwittingly and they do something to my email server side
later-on (not that they have been accused of other vaguely unethical things)
how much are they protected by the EULA?

FYI, in the state of NJ, not even your employer has the right to do many
things with your work email. They recently decided this. I would love to the
impending lawsuit with LinkedIn for similar reasons, but just for advertising.

------
skizm
Looks to me like Apple has some security to tighten up. I definitely don't
think you should be able to do most of this stuff, but you can't really fault
LinkedIn I don't think. They made something that adds value to their product
and it got approved by Apple. Either way, the hacks are cool ones and I'm glad
Linked-in did this write up. Keep 'em coming.

EDIT: not an app apparently.

~~~
djrogers
This isn't an _app_ and Apple has no involvement in approving it. RTA - it's
an IMAP proxy that injects some css/html stuff to each of your emails.

~~~
skizm
Ah wow didn't realize that. In their FAQ it said "tap the Intro app icon" to
add a new account so I assumed it was an app.

------
lewispollard
The iPhone Mail app allows embedded CSS right? I mean, why not solve this for
all mobile devices by adding the top bar to all emails, marking it display:
none; and using media queries to show it if it's a mobile resolution?

Also, pretty sure the :hover state touch interaction is something anyone who's
done any kind of mobile web development knows about.

~~~
lewispollard
Oh right, I see they want to add LinkedIn profiles to all emails, not just
ones coming from LinkedIn? Well... why!?

------
fizx
While I can't see the security-conscious user liking this, the CSS tricks
could be a great tool in the bag of a company that wants to send actionable
notifications or newsletters--either the giants like twitter, or SaSS tools
like [http://iterable.com/](http://iterable.com/).

------
napolux
Do I really need a mobile "rapportive" (acquired by linkedin recently) in
exchange for ALL my emails? NO :P

~~~
napolux
BTW, technically speaking is really cool

~~~
sunasra
It depends on types and frequency of email we are getting. It may helps to
prioritize for responding mail.

------
cygwin98
Unless LinkedIn open sources it and I host my own copy, there is no way for me
to hand all my emails to LinkedIn.

~~~
Systemic33
A private self-hosted version of this wouldn't be that bad. Imagine that you
write the same proxy, and it injects data grabbed from the various API's its
hooked up to.

~~~
davidkclark
This. The tech described is pretty neat... Give you my email creds? Hell no.
But _I_ could do all that myself. I think that would be one way that linkedin
could save this - release an easy to set up open source version, say one click
to a heroku instance or something. Then one could add all sorts of smart stuff
into their own emails.

~~~
crozewski
Agreed. Imagine if you could have other providers snap into this? It's a shame
that they're hacking their way around Apple's walled garden, but a self hosted
proxy server is a nifty way to add functionality to email.

------
NicoJuicy
For some weird reason (having dealt with newsletter projects), manipulating
the html through the IMAP services was the first thing i could think of.

But i wouldn't do that, because this way, you can intercept all messages that
people are mailing and it would harm your business image (at least, in my
eyes).

------
xoail
There is definitely not much value here for risk involved (handing out your
credentials to a 3rd party). Although interesting, the hack seems pretty
straight forward. I wonder if they had to do something more complex for 2-face
authentication enabled accounts (gmail) or that is not supported?

------
priley
Interesting hack. So since you inject that social info at the time of the
email, that means if someone gets a new job, it will still show the old
employer info / position in the older emails... right? What made you guys do
this instead of your own mail app like Mailbox?

------
_nb
Certainly an interesting workaround. I'm not that familiar with iOS
development, so could someone explain what technical reasons there might be
for running a remote imap proxy server to do the message modifications rather
than a local (on device) one?

------
abritishguy
There are some really neat technical stuff at linkedin, it's just a shame the
site is a pile of spamming shit. If they overhauled it and got rid of all the
annoying things then it would actually be decent.

------
cturhan
This is not their first hacks.

[http://www.scribd.com/doc/169844985/LinkedIn-
Hacking](http://www.scribd.com/doc/169844985/LinkedIn-Hacking)

------
bhauer
I want to see a documentary showing how such a feature was conceived,
greenlighted, implemented, and ultimately released without someone pulling the
plug.

------
yamill
This is a game changer. Love this idea, and also would love to see other big
social networks using the same technology to make our mail more interactive.

------
scotthtaylor
Love it - great work.

------
skc
Not sure why they went through all that hassle for a something that Apple will
surely outlaw in a few weeks.

Seems like an awful waste of time to me.

------
lispm
I have this Linkedin account. As a German its usefulness approaches zero. Its
security problems seem to grow.

Looks like it is time to dump Linkedin.

------
webhat
A friend of mine pointed out that it's surprising that the iOS mail app
supports iframes. Isn't that a security issue?

------
NKCSS
They should have open-sourced their MitM IMAP service and allow to use your
own, and then this would have been a cool hack.

------
st3fan
I feel sorry for the poor folks who had to engineer this 'product'. What a sad
thing to have on your resume.

------
agmontpetit
Awesome article. I was curious why is it possible to iframe the button but not
the whole contact info? Thanks

------
zimpenfish
It's a clever hack but "Doing the impossible" is a ridiculous oversell
headline.

------
rsankar
I didn't know proxy servers were part of apple's approved apps.

------
caiob
Why would anyone wanna use this? Plus, we're talking LinkedIn here!

------
jamiequint
Does anyone know if this works with the Gmail iPhone app as well?

~~~
gcb0
it will probably "work" as they are abusing the network (it will probably
screw up VPN configs) to hijack all imap calls. unless the gmail app uses
regular http endpoints... which it probably does.

~~~
djrogers
They aren't 'hijacking' all imap calls, you explicitly set up their service as
your email provider, and email is proxied through it.

------
magikbum
An easy hack for them to collect their users phone numbers too.

------
EGreg
Wow, I am amazed.

------
v0land
What a huge, ugly crotch.

------
barkingcat
I will never use this.

------
seivan
This seems very very very brittle. Some over compensating product asshat
managed to convince their code monkeys into building something that will
probably break easily not to mention security concerns with giving them your
mailbox access.

------
LekkoscPiwa
While this is truly impressive, am I the only one who considers LinkedIn just
a place from which recruiters send tons of unwanted spam?

