LinkedIn iOS app also vulnerable to plist identity theft

Following the recent findings by Gareth Wright about Facebook iOS app storing authentication keys in a plain text file that is easily accessible even on non-jailbroken devices (allowing it to simply be copied to another device to grant access to that account) we have just discovered the same security flaw is also present in the latest version of LinkedIn iPhone app and you can also easily extract these plist files from iTunes backups.

Using a free app (in this case iExplorer) to browse the contents of your iPhone if you navigate to Apps/LinkedIn/Library/Preferences you will find a file named com.linkedin.LinkedIn.plist and this is the file in question.

Simply copying the com.linkedin.LinkedIn.plist file from one device to another and then relaunching the LinkedIn app will automatically log the user is using the account details from the cloned plist file.

I “nabbed” a copy of Gareth Wright’s LinkedIn plist (he emailed it to me) and dropped it onto my own non-jailbroken iPhone and relaunched LinkedIn.

I was instantly into Gareth’s LinkedIn Profile, I could browse all his personal messages, invitations, contacts, edit his profile and even sent myself an invite to join his network!

Here was my LinkedIn screen prior to copying the plist file over

and here it was after copying the plist and relaunching the app. At no point did it prompt me to re-enter my password or authenticate

I was able to navigate his LinkedIn profile without any issues, view all his messages, invitations, connections and even created an invitation and sent it to myself.

and here is the invitation I received

6th April 201212th February 2018

Best security practices for your iPhone/iPad

Basic Security – Everybody should at least do this

Turn on passcode lock and set a 4 digit numeric pin number.

Set it to only prompt for the pin number after 1 hour of inactivity.

Medium Security – For those who like to be extra careful

Turn off simple pascode and opt for a more secure alphanumeric password.

Set it to prompt for the password immediately so every time you pick up the device it prompts you for a password.

Turn restrictions on and go to location services, click find my ipad and make sure “status bar icon is off” so tell tale gps arrow doesnt show if you need to track your iOS device.

High Security – For the über paranoid

As per medium security above for the passcode.

Turn on Erase Data so if somebody tried to use the wrong passcode 10 times it wipes your device.

Turn Restrictions on and go to location section, make sure all the apps you use that need location services are turned on (disable any apps you dont think need to know you location)

Go to system services and disable Setting time zone, location based iAds, Diag and Usage (they just waste battery for now reason). Make sure status bar icon for system services is also OFF.

Make sure find ipad is ON and status bar icon is OFF.

and then select Dont allow changes. this greys out all location services so if your ipad ends up in the wrong hands and they took it from you whilst you were logged in (ie they dont need to get past your passcode). However, a clever thief who’s managed to take your ipad from your hands whilst you were logged would first try and disable location services, once they realise they cant the will then jump to deleting your iCloud or MobileMe account so you can’t use find my ipad, so you’ll want to stop them from being able to do that.

Go to restrictions–>Accounts–>click Don’t Allow Changes and now all the account options are greyed out.

This next step will seem non-sensical but if you want to make sure you can track your iOS device and get it back then make sure Erase data after 10 failed passwords is turned OFF. If it’s turned on and they try 10 passwords your iOS device wipes itself make it like a brand new iPad for them to play with and no way for you to track it.

13th March 201210th April 2024

KeyCase iPad 2 Folio Deluxe with Bluetooth Keyboard [Review]

I bought the first generation iPad on UK launch day way back in 28 May 2010 and since then have upgraded to the iPad 2, again on launch day and have the new iPad (aka iPad 3) pre-ordered for delivery this Friday 16th March. I love the iPad, it filled a gap between my iPhone and MacBook Air that I didn’t know was there. In a similar way, the KeyCase iPad 2 Folio Deluxe case with built in bluetooth keyboard fills a gap for an iPad case that I didn’t know was there.

Whilst this review relates to my iPad 2 paired to a bluetooth keyboard case, the majority of the benefits I discuss in this article would equally apply to a Samsung Galaxy 10.1 case with built in bluetooth keyboard or a Kindle Fire case with built in keyboard (if such a thing exists).

I’ve never had a problem using the iPad or iPad 2 onscreen keyboard, it’s fast and responsive and the keys are a decent size (in landscape mode at least) but I would never dream of using the iPad on screen keyboard for anything other than quick email replies, form filling, brief note taking etc. For anything that needed more than 5 minutes of keyboard time I’d bring out the MacBook Air which is far easier to speed touch type on and get a lengthy email, proposal, blog post or report typed up.

Continue reading “KeyCase iPad 2 Folio Deluxe with Bluetooth Keyboard [Review]”

12th March 201212th March 2012

iPhoto [9.2.1] cannot be opened because of a problem [FIX = update to iPhoto 9.2.2]

After running some Apple software updates recently some users (myself included) are unable launch iPhoto after the update and are presented with an error “iPhoto cannot be opened because of a problem”. The alert window asks if you wish to send the error report to apple, which I suggest you do.

Continue reading “iPhoto [9.2.1] cannot be opened because of a problem [FIX = update to iPhoto 9.2.2]”