A potential security issue with iOS apps has been discovered, as a calendar app has been found to ask users to provide Apple ID login details in order to sync calendars, Marco Arment revealed. The Sunrise Calendar app has an “Add Account” feature that lets users connect the app with an iCloud calendar, Facebook and Google Calendar if they so desire. To do so, Sunrise requires user names and passwords, which may be a security risk especially for iCloud, which uses Apple ID login details that can be used to access Apple’s digital stores including iTunes, the iOS App Store, the Mac App Store and Apple’s iBookstore.
“No app or website should ever be asking for a high-security username and password directly, especially given how much is tied to your Apple ID,” Arment writes. “What year is this?”
Sunrise has responded that it doesn’t store the log in details on its servers – the app screen also says that passwords will not be collected – and instead only requires the credentials to obtain a token from Apple. “When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials,” Sunrise said.
Apple is allowing developers to include such features in their apps, as there is “no rule against doing this.”
Two months ago, Sunrise advised users that its database provider suffered a security breach, offering them details about how their data may have been affected. Interestingly, for connected iCloud accounts, the company said that “even though we don’t store any credentials, the security breach may have put some of your calendar data at risk.” At the time, Sunrise told customers to change iCloud passwords to make sure their data is safe.