[kevinpet]

They should have rejected your app until they had an Oauth solution in place. That's the right answer to avoid training Apple users to be fishing targets.

Sunrise doesn't have a (known) security problem. Sunrise happened to reveal a glaring problem with Apple's security policies.

[weaksauce]

It's actually phishing. I bring it up because I see more than one commenter on this page that has it wrong.

[hayksaakian]

it might be autocorrect changing phishing to fishing

[Bud]

Anyone who is relying on autocorrect while posting comments on technical issues kinda deserves what they get.

[weaksauce]

fwiw. I typed phishing on my iPad and it worked fine.

[pflats]

Actually, as a poster mentioned above, Sunrise was compromised 3 months ago, and recommended all iCloud users change their passwords.

http://www.theverge.com/2013/11/3/5061136/sunrise-calendar-a...

[seandougall]

How would OAuth help? The problem is training users that it's okay to enter their username and password into any schmuck's app... which is exactly what they'd be doing with OAuth. OAuth and its ilk are neat ways for honest app developers to avoid touching user credentials, and therefore (presumably) would have been a better solution for Sunrise, but they offer no protection against phishing in a native app.

Of course, OS X Authorization Services prompts for keychain access with a standard dialog that just pinky-swears it comes with the OS's blessing, so maybe Apple's approval of this practice shouldn't come as such a surprise.