
Apparently It’s OK For iOS Apps To Ask For Your Apple ID And Password - shawndumas
http://www.marco.org/2014/01/22/sunrise-asks-for-apple-id-password
======
way66
Hey everybody, Pierre from @sunrise. This is the blog post we've just
published to give more context:

"Users sometimes ask us why we require the user’s Apple ID and password in
Sunrise, instead of using the local Calendar API. That’s a great question to
ask, and we understand why users don’t want to share their credentials without
context. We’ve thought a lot about that.

The two reasons why we are doing this are: \- one, to provide a better user-
experience \- two, to offer a Sunrise experience everywhere, on all platforms
(including web and Android)

Providing a better user-experience

Being able to access the data from our servers, instead of just client-side,
has enabled us to write a better calendar app. We are working hard to make
synchronization faster and more reliable, and it enables us to send push
notifications or alerts to users without them having to open the app.

And this is just the beginning, a lot of new features that we are working on
at Sunrise for the future will rely on our server-side infrastructure.

Sunrise everywhere

The two biggest feature requests we get from users are: “when is Sunrise going
to launch on desktop” and “what about Android?”.

We understand our users, they want a unified Sunrise experience everywhere,
and so we can’t use a local API for that.

How does it work? Is this secure?

When you type in your iCloud credentials, they are sent to our server only
once in a secured way over SSL. We use them to generate a secure token from
Apple. This secure token is the only thing we store on our servers, we never
store your actual iCloud credentials.

What’s next?

In the future, we are thinking about ways to take advantage of the local
Calendar API for users who don’t want to share their credentials, we
understand their point of view.

We are also hoping that Apple will leverage OAuth to authenticate their
calendar API, which will make things easier for everyone. We already support
OAuth with Facebook, Google, Twitter, LinkedIn, Foursquare and Producteev. We
support OAuth where we can.

We are a team of 7 people building a calendar with love & passion, and
unfortunately we can’t always move as fast as we want, but as always, we want
to address users’ issues with transparency and openness. We’re listening on
@sunrise or support@sunrise.am"

~~~
objclxt
The one rather glaring fly in your ointment is that if your system was as
secure as you make it out to be you wouldn't have been asking users to change
their iCloud passwords after your database was compromised a few months ago.

[http://www.theverge.com/2013/11/3/5061136/sunrise-
calendar-a...](http://www.theverge.com/2013/11/3/5061136/sunrise-calendar-app-
hack-mongohq-database-buffer)

~~~
rismay
If you delete the app, this won't remove the account from sunrise's system
then?

~~~
tannerc
There is no way for app developers to know which users have deleted the app
from their device.

~~~
jhgg
Not exactly true. If you send a push notification to a device using a token of
an app that isn't installed anymore, the feedback service will let you know
that the app isn't installed on the device anymore[0].

[0]
[https://developer.apple.com/library/ios/documentation/Networ...](https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/CommunicatingWIthAPS.html#//apple_ref/doc/uid/TP40008194-CH101-SW3)

~~~
leviathan
What about users who didn't allow location services to begin with?

------
msantos
I wonder if the reason why they are asking for AppleID and password is because
that's the only way they found to overcome the iCloud integration problem
described back in April/2013

From [http://sunrise-product.tumblr.com/post/47802736454/why-
doesn...](http://sunrise-product.tumblr.com/post/47802736454/why-doesnt-
sunrise-support-icloud-exchange-yet)

 _Why doesn’t Sunrise support iCloud /Exchange yet?

Every other calendar app seems to do it, what’s taking Sunrise so long?

To explain let’s breakdown a calendar app into two parts, the presentation
layer and the storage layer. In the stock iOS Calendar app, Calendar is the
presentation layer and EventKit is the storage layer, both developed by Apple.
Other calendar apps in the App Store also follow this two layer design but
only redevelop the presentation layer while continuing to use Apple’s EventKit
storage layer. In other words, these apps quite literally take your data and
dress it up in a different color. What we do at Sunrise is redevelop both the
presentation layer and the storage layer.

You guys are crazy, why bother reinventing EventKit?

The storage layer is responsible for keeping your data in a structured format.
If we were to use Apple’s EventKit storage layer, we would have no control
over what can be stored and how to store it.

Okay, so what’s wrong with not having control over the storage layer?

The storage layer needs to be revolutionized. Why can’t my calendar store
anything besides text? What if I wanted to attach a picture to an event?
Better yet, why not a video? What about other rich media that I would want to
be included?

Herein lies the problem, the current storage layer isn’t capable of storing
anything other than basic data. Not only that, it only stores certain kinds of
basic data: titles, descriptions, dates, etc. We want to break these barriers
and let you store anything!

Revolutionary features are coming to your calendar. We’re working as fast as
we can._

~~~
coob
The only stated way they're going to 'revolutionise' calendar storage is by
adding rich media? You can hack on EventKit for that - just used the notes or
URL properties on EKCalendarItem.

Sorry, they're not getting my credentials.

~~~
jaegerpicker
Yeah, I'm not sure what exactly that is trying to justify but off the top of
my head I can think of about 1/2 dozen different ways to tie rich media to the
calendar entry. iCloud and EventKit have their issues but this just seems way
wonky to me.

~~~
kuschku
And even without hacking EventKit you could just base64 the media and add it
as description.

------
pat2man
I would guess that if they had another way to access your iCloud calendar from
their servers they would. Apple unfortunately has everything linked to a
single account without any sort of Oauth. This is more an issue with iCloud
than it is with iTunes or the App Store.

~~~
0x0
It's pretty crazy that you need to use the same credentials to "buy" a $0 app
as you have to remotely lock and wipe your iphone and mac.

~~~
runjake
You don't need to at all. I use two separate Apple IDs on my iOS devices.

Apple ID accounts are individually configurable for most, if not all
iCloud/App Store services.

~~~
coldtea
To quote JWZ: "You have invoked the "Oh, but there's a preference to turn off
that stupid behavior" defense. I am showering you with negativity."

(Yes, it's not a preference pedantically, it's an option to create multiple
accounts. Still the default and most used is using one account).

~~~
EpicEng
I'm an engineer an I didn't know you could use two accounts for different
tasks on the same device. Just never thought about it, because why would I?
Not a reasonable workaround, I agree.

~~~
nknighthb
> _Just never thought about it, because why would I?_

Anyone with family members using their iTunes account would and has for many
years. That's why it's there.

~~~
EpicEng
It's there so that you can create a junk account for apps which want access to
your credentials? Doubtful. Remember the context of the topic.

~~~
nknighthb
This thread started with:

 _" It's pretty crazy that you need to use the same credentials to "buy" a $0
app as you have to remotely lock and wipe your iphone and mac."_

I'm having no trouble remembering the context. Why are you?

------
piyush_soni
Admittedly, Android does it much better by providing oAuth, an easy way to get
the users sign in, and of course APIs for almost all the popular features. And
also, for installing $0 apps you don't need any credit card details at all.
Even the buttons are different "Install" v/s "Buy".

~~~
k-mcgrady
>> Admittedly, Android does it much better by providing oAuth, an easy way to
get the users sign in, and of course APIs for almost all the popular features.

First of all this has nothing to do with iOS/Android. This is an app trying to
access a web service. Apple needs to provide oath or similar for accessing
their iCloud services.

>> And also, for installing $0 apps you don't need any credit card details at
all. Even the buttons are different "Install" v/s "Buy".

This is untrue. I couldn't download any free apps until I had setup a merchant
account with credit card.

~~~
rajivm
You've always been able to use Google Play for free apps without a credit
card...

~~~
k-mcgrady
I got an Android device about 6 months ago and couldn't download any apps
until I'd setup a credit card.

------
rahimnathwani
I would guess that most iOS users think that the confirmation message for in-
app purchases (prompting you for your iCloud credentials) is from the app from
which they initiated the purchase, rather than from a system service.

This probably conditions them to trust all iOS apps with their password if
prompted to enter it.

~~~
GuiA
Which is precisely why the thing this article is pointing out is extremely
terrible - Apple should have made it a rule a long time ago that no 3rd party
app can ask for Apple ID credentials.

But they dug themselves in a ditch by unifying extremely sensitive things
(App Store access) & very sensitive things (email, calendar) under a single
account.

A few ways to get out of that ditch:

\- not allowing any iOS/Mac app store 3rd party app to ask for iCloud
credentials. This will suck but at least protects the average Joe.

\- forcing users to have a different password for the app store/anything that
can take money from a credit card.

\- using something like OAuth.

\- use two step verification for app store purchases (of course, the mobile
app store being on a phone makes it harder)

~~~
rahimnathwani
_use two step verification for app store purchases_

That's actually a great idea, and it wouldn't be hard at all, as long as they
were to use TFA for all iCloud access. The second factor (e.g. a 6-digit
number) could be displayed in the dialogue box asking for your password.

If it's a genuine dialogue box, no problem. If it's _not_ a genuine dialogue
box, then the captured username/password is of no use, as you don't have the
second factor. Replay and MITM attacks could be avoided by using a session
identifier; the app wouldn't be able to get at it due to the sandbox.

------
Touche
Apple could just, you know, implement oauth.

~~~
barumrho
OAuth only makes sense if they provide an API for iCloud calendar, which isn't
the case as far as I know.

~~~
zw
It's a bog-standard CalDAV server, which isn't an API, of course, but at the
same time, it sorta is.

~~~
Xylakant
I'd argue that CalDAV is an API - it's specified and offers operations on
data. It's not JSON-Rest but an API it is.

------
msantos
I can't take anyone serious when they try to justify a potential security flaw
with " _to provide a better user-experience_ ".

And as for " _to offer a Sunrise experience everywhere, on all platforms_ ",
but at what cost?

------
zw
They can't win, can they? I'm sure if they did exactly what he suggests a
long, long time ago we'd be hearing how evil they are for not allowing
calendar apps to work properly on the store.

~~~
po
Nobody is calling anybody evil. Developers may complain that there is no
server-side API for an iOS user's calendar but it's still crazy that Apple
allows and promotes an app that normalises an extremely dangerous practice.

------
FigBug
On a related note, when did it become OK for an App to ask for your credit
card number to do in-app purchase? I thought that wasn't allowed.

~~~
cmelbye
IAP is required for virtual goods used within the app. It's fine to ask for a
credit card number to purchase physical goods and services. That's why Apple
hasn't shut down Uber and Square.

~~~
xerophtye
I am guessing you can trust the app with ur credit Card because of AppStore's
rigorous entry tests?

~~~
cmelbye
What point are you even trying to make? You trust the app for the same reasons
you trust a web site you put your credit card number into, or the card reader
that the cashier uses at the local business down the street.

------
schappim
It's actually Apple's fault, they should offer an API for this kind of thing!

~~~
supercoder
It's not Apple's fault.

If I ask for your gmail user / pass is that fine because there's no API ?

~~~
kevinpet
If Google listed your fishing attack in a recommended app list, then yes, it
would be Google's fault.

------
yaeger
Okay, I have a question. AppleID and pw non-withstanding, I have experienced
the following. I played Where's my water2 recently and came to the end where
you have to pay to get additional levels. No biggie, I did this with the first
game as well. But, when I clicked the in app purchase and entered my password
I was prompted with a pop saying I needed to answer my 3 security questions
next. Of course I hit cancel and not okay right there.

I have never seen that an app requests the security questions when making an
in app purchase. Granted it's been a while since I last made one. Can anyone
tell me if this is supposed to be normal now?

I tried to talk to Disney's support but of course no answer there...

~~~
yardie
I had the same request from inside one of Apple's apps. I think Apple just
want you to update your security questions. I logged into the AppleID site,
appleid.apple.com, and updated the questions there. Relaunched the app and no
more questions.

I think you get 3 or 4 tries before they lock your account, I had gotten 1
question wrong 2x an didn't want the account locked because of a typo.

~~~
yaeger
That sounds right. Although since I haven't entered my security question
directly in that app, I was not asked to update them from any other App.

It just felt weird that a non Apple app suddenly asked for these things. I do
use Find my Friends semi regularly in which you also login with your appleid
password but so far there was never a message saying I needed to enter my
security questions... weird.

------
smackfu
The Mailbox app does the same thing, to give you access to iCloud email.

[http://imgur.com/xK4Hmy2](http://imgur.com/xK4Hmy2)

------
bhartzer
I don't have a huge beef with this, though. I am assuming that Apple has
vetted the company and the app already through their normal process of
allowing the app in the app store. Am I being overly trusting?

~~~
piyush_soni
Yes.

