We take our usernames and passwords for granted until they are compromised and our accounts are stolen by malicious hackers. It happened to Wired journalist Mat Honan and it can happen to you, too. This why Marco Arment’s latest blog post about the handling of iCloud credentials by apps is so concerning.Arment points to the Sunrise Calendar app, which is currently being promoted by Apple, as an example of how not to handle iCloud IDs. Upon launch, the app asks you to sign up for an account and then add a calendar. If you want to add an iCloud calendar, you must enter in your Apple ID username and password. This information is entered in the Sunrise app itself and is sent to Sunrise’s servers. Sunrise confirmed to Arment that this is what it is doing.
When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.
Though this data is not stored on Sunrise’s servers, the data is still being processed by Sunrise’s servers before it is sent off to Apple. Users are trusting Sunrise to ensure the data is not being cached along the way by analytic tools or proxies and that nobody has compromised the intermediary servers and is maliciously monitoring the sending and receiving of this data. Given the high-profile security breaches at Target and Neiman Marcus, this is a valid question to ask.
Based on Sunrise’s response to Arment’s post, it appears that Apple may be contributing to this problem by not supporting OAuth or a similar scheme. OAuth takes the approval process out of the hands of the app and puts it in the hands of the service. The approval process is handled by the service on its own website, not within the app. For example, if an app wants to access your Twitter account, you are brought to Twitter where you can login and provide permission to the app. Apple doesn’t support OAuth so Sunrise claims it has to handle this authorization on its own servers.
Arment argues that this behavior is risky and Apple someday may pay the price.
Many readers have blamed Apple for this, mostly because the lack of official iCloud APIs and support for OAuth (or a similar scheme). I agree. But the ideal “Apple way” isn’t to do something really horribly until they have time and motivation to “do it right” — it’s not to do it at all.
It’s better not to permit apps to access customers’ iCloud account at all (beyond the official, secure APIs) than to allow any app to collect them insecurely and do whatever they want with them.
Regardless of whether you agree that this is Apple’s fault, it will definitely be Apple’s problem when an app like this has a security breach that compromises hundreds of thousands — maybe millions — of Apple IDs.
What do you think? Are apps like Sunrise a security or privacy threat? Will you continue to use apps that ask for your Apple ID and password?