In this era of heightened security fears, when headlines routinely shout about hackers stealing millions of personal records in a single digital heist on some of the nation’s biggest companies, you should never be handing your Apple ID and password over to anyone who isn’t Apple. Yet that’s just the permission that the new Sunrise calendaring app asks when you first load it up, and not only is there no rule against apps doing so in Apple’s internal guidelines, but Cupertino’s actually awarded Sunrise with a coveted spot in the “Featured” section of the App Store.
First spotted by Neven Mrgan, programmer and pundit Marco Arment of Instapaper and The Magazine fame delved into the issue in more detail, and found that when you use the iCloud Calendar option in Sunrise, the app itself — not iOS, or Apple — asks for your Apple ID email address and password.
Sunrise claims that they’re not storing the credentials and are instead just getting a login token of some sort from iCloud. (It’s unclear whether they’re transmitting your email and password to their servers and getting the login token from there, or doing the exchange from the device.) But that doesn’t matter at all.
No app or website should ever be asking for a high-security username and password directly, especially given how much is tied to your Apple ID. What year is this?
It’s downright dangerous that Apple not only let this through app review, but is promoting it.
He’s right. While Sunrise insists that they aren’t storing your credentials, how could an end user possibly know? Yet according to Arment, there’s no existing rule against an app asking for an Apple ID and password, leaving a wide back door open for potential fraud. Sunrise might be innocent of any wrongdoing, but the next app developer to use this trick might not be. Apple needs to change this, stat.