The Sunrise calendar app for iOS devices asks users to enter their Apple IDs and passwords. Experts say that no application should request this piece of information, and Apple should strictly prohibit developers from collecting such data.
Marco Arment, Neven Mrgan and Michael Tsai were the first to raise questions regarding Sunrise’s practices.
Sunrise explained, “When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.”
Arment says that while this is better than storing the information in Sunrise’s database, it still isn’t very secure.
“They’re still taking on the responsibility of transmitting it securely from the app, receiving it securely on the servers, sending it back to Apple securely to get a token, ensuring no tools, proxies, or analytics are caching or logging it along the way, and ensuring that their servers aren’t quietly hacked and nobody’s monitoring the application to capture the credentials in flight,” he explained.
A couple of months ago, Sunrise warned its customers of a security breach suffered by the company’s database provider MongoHQ. At the time, the organization advised users to change their iCloud passwords as the security breach might have put some of their calendar data at risk.
Currently, Apple allows app developers to collect iCloud credentials and do whatever they want to do with the information. However, as Arment highlights, it’s enough for one company to suffer a security breach and a lot of Apple IDs could become compromised.