Tuesday, January 21, 2014

Calendar App Asks for Apple ID and Password

Neven Mrgan:

For years I’ve rejected app ideas that would require the user’s Apple ID and password, certain that Apple would reject such apps swiftly. Now, Sunrise app—which asks for this info, and a whole lot more—is not just approved, but prominently featured. Sigh.

A previous version of OmniFocus also asked for your iCloud login info, since there was then no API for reminders. iOS does have an API for calendar access, but apparently it doesn’t cover everything the Sunrise (App Store) developers wanted to do. A couple months ago, they had a security breach and recommended that customers change their iCloud passwords. This does not inspire confidence, but I wouldn’t focus too much on this particular developer. These days, your Apple ID is the master key to all sorts of personal information and privileges, including the ability to remote wipe iOS devices and access your Mac, even if you didn’t share your FileVault 2 recovery key with Apple. It doesn’t seem prudent to share it with anyone.

Update (2014-01-22): Marco Arment:

I couldn’t believe it, so I downloaded the app myself and took these screenshots.

Update (2014-01-23): Sunrise:

When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.

Marco Arment:

This is better than storing your password in their database, but it’s still not very secure by modern standards: they’re still taking on the responsibility of transmitting it securely from the app, receiving it securely on the servers, sending it back to Apple securely to get a token, ensuring no tools, proxies, or analytics are caching or logging it along the way, and ensuring that their servers aren’t quietly hacked and nobody’s monitoring the application to capture the credentials in flight.

Update (2014-01-30): Sunrise:

Since our 2.11 version, we are not sending iCloud credentials to our servers, the app generates the secure token client-side.

Tags: , , , , , ,

7 Comments

A big problem is the ridiculous limits on the APIs. Not just for calendar when you could access it yourself. But also doubly so for music data and playing. Ecoute just got rejected for even using the API in a way Apple now says is bad. It's extremely frustrating — doubly so when Apple's native apps are so wanting in many ways. Apple should just restrict using the Apple ID and make their data access APIs much more robust.

[...] Calendar App Asks for Apple ID and Password [...]

Gmail has per application passwords. I can't see why Apple couldn't do the same. They could allow you to specify what iCloud items you are okay with them accessing.

"Gmail has per application passwords."

Not sure what that means. Could you explain?

2do app also asks for apple id so it can sync with reminders. Wondering about their security??

Jamie McCarthy

Mr. Potter: Google allows us to set up 2-factor authentication for access to its services such as Gmail. This means that, along with a password, we'll be challenged for a one-time code (typically generated by the Google Authenticator app on a mobile device).

However, most non-Google applications don't provide a way for the auth code to be entered -- for example, a standard mail client has no interface to allow for this.

So instead, what Google does is allow you to generate any number of per-application passwords. These are randomly-generated text which Google only shows to you once. You enter that as your Google password in your mail client, and Google accepts it as if it were your actual password. For security, you don't reuse these -- so if a hacker gets ahold of it, all they get is access to that one application. (That's why Google only shows it to you once, to help prevent the temptation to reuse it.)

This is an important security measure in general, but it's necessitated by the use of the 2-factor auth feature with third-party apps.

Apple and other companies with "high-value passwords" would do well to emulate the extra security precautions taken by Google and Facebook.

More info here:

https://support.google.com/accounts/answer/185833

[...] Here’s something to be on the lookout for: the Sunrise calendar app is asking users for their Apple ID and password. What’s even more worrisome is that Sunrise had a security breach a couple months ago. [...]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment