Users sometimes ask us why we require the user’s Apple ID and password in Sunrise, instead of using the local Calendar API. That’s a great question to ask, and we understand why users don’t want to share their credentials without context. We’ve thought a lot about that.
The two reasons why we are doing this are:
- one, to provide a better user-experience
- two, to offer a Sunrise experience everywhere, on all platforms (including web and Android)
Providing a better user-experience
Being able to access the data from our servers, instead of just client-side, has enabled us to write a better calendar app. We are working hard to make synchronization faster and more reliable, and it enables us to send push notifications or alerts to users without them having to open the app.
And this is just the beginning, a lot of new features that we are working on at Sunrise for the future will rely on our server-side infrastructure.
The two biggest feature requests we get from users are: “when is Sunrise going to launch on desktop” and “what about Android?”.
We understand our users, they want a unified Sunrise experience everywhere, and so we can’t use a local API for that.
How does it work? Is this secure?
When you type in your iCloud credentials,
they are sent to our server only once in a secured way over SSL. Update: since our 2.11 version, we are not sending iCloud credentials to our servers, the app generates the secure token client-side. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.
In the future, we are thinking about ways to take advantage of the local Calendar API for users who don’t want to share their credentials, we understand their point of view.
We are also hoping that Apple will leverage OAuth to authenticate their calendar API, which will make things easier for everyone. We already support OAuth with Facebook, Google, Twitter, LinkedIn, Foursquare and Producteev. We support OAuth where we can.
We are a team of 7 people building a calendar with love & passion, and unfortunately we can’t always move as fast as we want, but as always, we want to address users’ issues with transparency and openness. We’re listening on @sunrise or email@example.com
Updated (Wed 01/22): Also, if you’ve discovered a security vulnerability in Sunrise, we appreciate your help in disclosing it to us in a responsible manner by using firstname.lastname@example.org
Updated (Thursday 01/29):
We’ve updated the Sunrise app (version 2.11) to never send the Apple credentials to our servers, as suggested by our community. The update is now live.
Security and user’s privacy are very important to us and we are grateful to the community for the suggestions we’ve received on that issue.
– Pierre, CEO