LinkedIn Android “bug fix” update includes invasive permissions change

LinkedIn was an app I hesitated to install initially because of the long list of permissions it requires. The December 19th update also added one more:

The full description of this permission reads:

READ SENSITIVE LOG DATA
Allows an application to read from the system’s various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.

The fact is that the permissions required by the app were already invasive. If it had included read sensitive log data from the beginning I probably wouldn’t have batted an eyelid, it’s one amongst many.

The problem is the way they made the change without any explanation. The release notes for this version simply say “Fixed several bugs reported by our members”, which is clearly not a complete list of changes by any stretch of the imagination, and suggests that revealing the true list of changes to users would not encourage them to update.

Some review comments suggest that this update is business-focused rather than end-user focused; apparently it now displays ads (I have not installed the new version and do not plan to, so I can not confirm).

The reaction in the reviews section is surprisingly harsh. I, like LikedIn obviously, thought that most people didn’t pay attention to permissions and blindly click update. But there have been a spate of 1-star reviews lately which indicates that many people DO check permissions and rightly question why an app needs them.

Some of the comments from 1-star reviews, of which there are many:

  • “Invasive permission request without explanation”
  • “Like LinkedIn, but uninstalling this app because of the new permissions”
  • “Syslogs? Really? Uninstalling until you rectify. I can understand access to contacts, but not my logs to track data to sell. #fail”
  • “Why does the app now need to read sensitive log data when the What’s New section says it’s only fixing bugs reported by members?”

These “reviews” have pushed the app score down to 3.6.

At the time of writing I have seen no response from LinkedIn, and the app listing has not been updated to explain the changes. It may be that the reasons for the new permissions are perfectly mundane, but if that’s the case, where’s the explanation!

Here’s the full list of permissions, lifted from https://market.android.com/details?id=com.linkedin.android. How many companies would you allow to access this much of your data?:

YOUR ACCOUNTS
USE THE AUTHENTICATION CREDENTIALS OF AN ACCOUNT
Allows an application to request authentication tokens.
MANAGE THE ACCOUNTS LIST
Allows an application to perform operations like adding, and removing accounts and deleting their password.
ACT AS AN ACCOUNT AUTHENTICATOR
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
HARDWARE CONTROLS
TAKE PICTURES AND VIDEOS
Allows application to take pictures and videos with the camera. This allows the application at any time to collect images the camera is seeing.
NETWORK COMMUNICATION
FULL INTERNET ACCESS
Allows an application to create network sockets.
YOUR PERSONAL INFORMATION
READ CONTACT DATA
Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.
WRITE CONTACT DATA
Allows an application to modify the contact (address) data stored on your device. Malicious applications can use this to erase or modify your contact data.
READ SENSITIVE LOG DATA
Allows an application to read from the system’s various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
PHONE CALLS
READ PHONE STATE AND IDENTITY
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
STORAGE
MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS
Allows an application to write to the USB storage. Allows an application to write to the SD card.
SYSTEM TOOLS
MODIFY GLOBAL SYSTEM SETTINGS
Allows an application to modify the system’s settings data. Malicious applications can corrupt your system’s configuration.
WRITE SYNC SETTINGS
Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.

2 thoughts on “LinkedIn Android “bug fix” update includes invasive permissions change

  1. Darryl

    The reviews are getting awesome on this change. I’m really surprised linked-in hasn’t done anything. And I’m also really surprised that this is the only blog I could find mentioning it.

    So many uninstalls and complains.

    Reply
  2. JC

    I’ll admit I thought this was a great app too – but now with all the intrusiveness, it’s one i’ll be rating a 1-star and uninstalling.

    Today’s latest update…
    Read calendar events PLUS CONFIDENTIAL INFORMATION

    Forget it – not worth the trouble.
    Uninstalled

    Reply

Leave a Reply