Are apps that ask for your iCloud password a privacy threat?


We take our usernames and passwords for granted until they are compromised and our accounts are stolen by malicious hackers. It happened to Wired journalist Mat Honan and it can happen to you, too. This why Marco Arment’s latest blog post about the handling of iCloud credentials by apps is so concerning.Arment points to the Sunrise Calendar app, which is currently being promoted by Apple, as an example of how not to handle iCloud IDs. Upon launch, the app asks you to sign up for an account and then add a calendar. If you want to add an iCloud calendar, you must enter in your Apple ID username and password. This information is entered in the Sunrise app itself and is sent to Sunrise’s servers. Sunrise confirmed to Arment that this is what it is doing.

When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.

Though this data is not stored on Sunrise’s servers, the data is still being processed by Sunrise’s servers before it is sent off to Apple. Users are trusting Sunrise to ensure the data is not being cached along the way by analytic tools or proxies and that nobody has compromised the intermediary servers and is maliciously monitoring the sending and receiving of this data. Given the high-profile security breaches at Target and Neiman Marcus, this is a valid question to ask.

Based on Sunrise’s response to Arment’s post, it appears that Apple may be contributing to this problem by not supporting OAuth or a similar scheme. OAuth takes the approval process out of the hands of the app and puts it in the hands of the service. The approval process is handled by the service on its own website, not within the app. For example, if an app wants to access your Twitter account, you are brought to Twitter where you can login and provide permission to the app. Apple doesn’t support OAuth so Sunrise claims it has to handle this authorization on its own servers.

Arment argues that this behavior is risky and Apple someday may pay the price.

Many readers have blamed Apple for this, mostly because the lack of official iCloud APIs and support for OAuth (or a similar scheme). I agree. But the ideal “Apple way” isn’t to do something really horribly until they have time and motivation to “do it right” — it’s not to do it at all.

It’s better not to permit apps to access customers’ iCloud account at all (beyond the official, secure APIs) than to allow any app to collect them insecurely and do whatever they want with them.

Regardless of whether you agree that this is Apple’s fault, it will definitely be Apple’s problem when an app like this has a security breach that compromises hundreds of thousands — maybe millions — of Apple IDs.

What do you think? Are apps like Sunrise a security or privacy threat? Will you continue to use apps that ask for your Apple ID and password?

Like this post? Share it!

Categories: iOS Apps

  • Byron

    Let me get this right: you’re asking whether giving complete strangers on the internet one’s iCloud login info would compromise the security of that user’s iCloud account and data?

    I find it remarkable that you’ve managed to generate an entire “article” out of this.

    Did you think it through silently by yourself first, or did you just say “nah, sod it!” and jump for a chance to get clicks and ad views?

    • Alan

      Did you even read the article? You certainly don’t seem to have got it.

      Next time read, understand the article, before trying to go nuclear on the writer.

      • Byron

        Who’s talking to you? Go read it yourself. I don’t work for you. I doubt anyone does.

    • Gautam

      I didn’t get the point you’re trying to make.

      It seems like a valid concern to me. Ideally, the login details should not go to a developers servers. I would trust Apple rather than a little known developer. That is the reason we have things like OAuth.

      • Byron

        The point is that it’s really quite well beyond a valid concern, bordering solidly on obvious.

        OAuth is a better alternative, certainly; however I don’t share your trust in Apple. Even their new data centre in IE would, um, let’s say “benefit” from an ultra-wide link to the US anyway so it’s unclear under what legislation the data are actually kept. Is there a more reasonable option for iCloud? No. Is it ideal? No.

        • Sumer

          Dude you must be a moron!

        • Gautam

          Actually, I didn’t realize this was happening. I was under the impression that authentication was being router through Apple’s servers. So don’t think it was obvious.

          You don’t trust Apple, but you trust an unknown developer? That’s bizarre, but whatever works for you.

          • Byron

            Where in my response does it say I trust Apple? Long day?