Apple ID Password Request From iOS App Raises Security Questions


Apple’s (NASDAQ:AAPL) so-called “walled garden” ecosystem ensures that every iOS app is carefully vetted by Apple before it is allowed to be sold. As a result, Apple’s iOS platform is relatively free from malware. According to Cisco’s (NASDAQ:CSCO) recently released annual security report, 99 percent of all mobile malware in 2013 targeted Google’s (NASDAQ:GOOG) Android operating system.

However, this doesn’t mean that Apple’s devices are immune to security breaches. As noted in Cisco’s report, the maturation of mobile platforms and the growing use of mobile apps have increased all users’ vulnerability to malware attacks. “Many users download mobile apps regularly without any thought of security,” said the authors of Cisco’s report.

When it comes to mobile security, even Apple’s ecosystem is vulnerable if users carelessly hand over security information to third-party apps. As recently discovered by technology blogger Marco Arment, even apps from Apple’s App Store will occasionally try to get users to divulge security information that could potentially be used to hack a user’s device.

Arment noted that the Sunrise Calendar app for the iPhone requests a user’s Apple ID and password as part of the setup process. Sunrise claims that the Apple ID information is not stored and is only used for obtaining a “login token” from the user’s iCloud account. Although Sunrise’s claim may be true, Arment noted that this is a dangerous precedent for Apple users, since an Apple ID and password can allow a malicious attacker to wreak havoc with multiple connected devices.

Many malware apps use similar “phishing” methods to try to trick users into divulging private security information. Unfortunately for Apple users, it appears that Sunrise’s information request is in line with Apple’s current app developer guidelines.

Not only does Sunrise’s Apple ID and password request set a troubling precedent for overall mobile security practices, Arment pointed out that even Sunrise’s method is not especially secure by “modern standards.” According to Sunrise’s statement to Arment: “When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.”

Although this method is slightly more secure than keeping a user’s information in a database, Arment reports that Apple users must still trust Sunrise’s ability to securely transmit the password and Apple ID information from the app to their servers and back to Apple. Arment pointed out that this method gives hackers multiple opportunities to intercept the security information.

It should be noted that this is not the first time questions have been raised about the security of apps in Apple’s ecosystem. Some privacy advocates have brought up concerns about location data that third-party apps can collect on users through Apple’s iBeacon micro-location system.

Although Apple discloses the types of information it collects in its Privacy Policy and offers users the option to disable the tracking function on iOS devices by turning off the Location Services feature, some consumer advocates are concerned that some third-party app consent forms do not adequately explain the amount of data that can be culled from mobile device tracking systems.