The increasingly popular Sunrise calendar app faced a bit of a brouhaha last week, after a couple of well-respected developers (namely, Neven Mrgan and Instapaper creator Marco Arment) pointed out that the application asked the user to punch in their iCloud credentials with little indication of what happened to them next.
Given the amount of sensitive data that tends to be transmitted over iCloud (iMessages, backed up photos, email, etc.), such a request was iffy, at best. It’s certainly not the sort of thing you want to become the norm.
Making things worse, the company was in turn taking those credentials and transmitting back them to their server (though they note that they were not storing them.) They were sending the credentials in a secure way — but still: if it’s at all avoidable, sending important credentials back to the mothership isn’t good practice.
This morning, Sunrise pushed out a patch that makes things a little better. They’ll still need you to punch in your credentials, which is a bummer — but now, at least, they’re handling authentication within the app itself. Instead of sending your username and password back to their servers, they send a unique token that allows them to access your iCloud data without ever sending your actual username/password off of the device. And if you decide that you don’t want Sunrise to be able to access your data? Just change your password, which renders the token useless.
It’s not a perfect solution, as it does still require the users to trust a third-party with some pretty precious data. In this case, since Sunrise is now being quite transparent about how they handle the data, that’s fine. But it’s still not something that apps should be getting users comfortable with doing. Until/unless Apple builds in some sort of iCloud permissions dialog that allows for the user to grant a service like Sunrise access to data (sort of like the way Facebook handles Facebook logins within apps), however, this is the safest route they’ve got apart from.. you know, not existing.
It’s been just 9 days since concerns about Sunrise’s methodology were raised; good on them for moving quick.