Apple’s currently featuring the Sunrise app in the App Store.
Upon first launch, Sunrise invites you to create an account, then asks you to add a calendar. The first option, “iCloud Calendar”, brings you to a screen where the Sunrise app itself, in its native interface and code, solicits your Apple ID (iCloud) email address and password.
This is apparently OK.
I first saw Neven Mrgan point this out (good replies there), with some additional commentary from Michael Tsai. I couldn’t believe it, so I downloaded the app myself and took these screenshots.
Sunrise claims that they’re not storing the credentials and are instead just getting a login token of some sort from iCloud. (It’s unclear whether they’re transmitting your email and password to their servers and getting the login token from there, or doing the exchange from the device.) But that doesn’t matter at all.
No app or website should ever be asking for a high-security username and password directly, especially given how much is tied to your Apple ID. What year is this?
It’s downright dangerous that Apple not only let this through app review, but is promoting it.
To my surprise, there’s no rule against doing this. That needs to change immediately.
(Update here with a Sunrise response, sort of.)