[aestra]

In your giant ad you missed the point so much it hurts.

You are asking sensitive user names and passwords you have no right to have. Just because you don’t do anything bad with them (that you say - and not yet) means nothing. You shouldn't be asking for them. Phishing attacks do exactly the same thing you do. You are not special, your users shouldn't trust you with their appleid and password anymore than any other spam email they get.

[shadesandcolour]

Why does the application that accesses your calendar not have the right to the credentials for those calendars. Does my email application all of a sudden no longer have the right to my email credentials.

The issue here is not that Sunrise asks for your iCloud credentials, which it needs to be able to access your iCloud data, which you as a user of their service have given them the right to. The problem is that those same credentials are tied to your iTunes account and your credit card.

[dragontamer]

Think cloud based. OAuth, if implemented by Apple, would have APPLE asking the users for their username / password combination. APPLE then tells Sunrise that the username / password is valid. There is no reason why Sunrise should ask for the username / password.

OAuth and even older, Paypal, use this methodology. It is a shared deficiency between Sunrise and Apple that they don't have a better way of performing user authentication.

-----------------

Your email application is a null / void example. Email applications run on your own computer. What is going on here is that Sunrise is collecting usernames / passwords on their own server, and promising that they won't do anything wrong with them. Whether or not we should trust them is beside the point, their approach to security is terrible.

[frenchy]

I don't think anyone would disagree that OAuth is a far, far better solution. But there's not really anything Sunrise can do to make Apple implement OAuth.