For years I’ve rejected app ideas that would require the user’s Apple ID and password, certain that Apple would reject such apps swiftly. Now, Sunrise app—which asks for this info, and a whole lot more—is not just approved, but prominently featured. Sigh.
A previous version of OmniFocus also asked for your iCloud login info, since there was then no API for reminders. iOS does have an API for calendar access, but apparently it doesn’t cover everything the Sunrise (App Store) developers wanted to do. A couple months ago, they had a security breach and recommended that customers change their iCloud passwords. This does not inspire confidence, but I wouldn’t focus too much on this particular developer. These days, your Apple ID is the master key to all sorts of personal information and privileges, including the ability to remote wipe iOS devices and access your Mac, even if you didn’t share your FileVault 2 recovery key with Apple. It doesn’t seem prudent to share it with anyone.
Update (2014-01-22): Marco Arment:
I couldn’t believe it, so I downloaded the app myself and took these screenshots.
Update (2014-01-23): Sunrise:
When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.
This is better than storing your password in their database, but it’s still not very secure by modern standards: they’re still taking on the responsibility of transmitting it securely from the app, receiving it securely on the servers, sending it back to Apple securely to get a token, ensuring no tools, proxies, or analytics are caching or logging it along the way, and ensuring that their servers aren’t quietly hacked and nobody’s monitoring the application to capture the credentials in flight.
Update (2014-01-30): Sunrise:
Since our 2.11 version, we are not sending iCloud credentials to our servers, the app generates the secure token client-side.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.