iCloud security with 3rd party apps

Lettermuck
Lettermuck
Community Member

Could any advise please on security with 3rd party apps through the App Store. When downloaded many will ask for my iCloud ID and password. This may be to use iCloud for sync, or to access contacts, calendar, email, etc. Is it safe to enter my iCloud ID and password? Does this information actually become visible to the 3rd party, or does Apple control this link. The data entry form appears to be provided by the 3rd party and not Apple, so it is concerning to me. Is there a way of using 1Password in some way, or is this not necessary? Thnx.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • khad
    khad
    1Password Alumni

    @Lettermuck,

    You should not enter your iCloud password into any app that isn't from Apple. The APIs that Apple provides allow developers to sync your iCloud data without ever directly prompting you for your iCloud password.

    It could just be a poorly written app that is requested your iCloud password. Or it could be malicious. AFAIK, Apple should not be approving any apps that ask you for it directly. Be sure to differentiate between a system prompt to verify your iCloud credentials with the app itself asking.

    Let's presume we're talking about the app itself asking, though. If the app turned evil, they could do a lot of damage. They could lock you out of your Apple ID.

    Now you don't have to actually be concerned about anyone "turning evil" for that distinction to matter. If someone has the capacity to do damage, they can do it by accident. If someone does not have the capacity to do damage, then they couldn't do it even by accident.

    This is part of the "principle of least authority". Systems should be designed so that they have no more authority than needed to perform their function.

    I hope that helps. But please let us know if you have any other questions or concerns. It is great that you are thinking about these things.

  • Lettermuck
    Lettermuck
    Community Member

    Thank you so much Khad for your response. The apps in question are well known through the App Store. Examples are 'Fantastical 2' for calendar and 'Dispatch' for iPhone email. There are others too. I am asked for Apple ID and password, but the form appears to be from the vendor and not from Apple themselves. I initially entered the details, but later changed my Apple password because of concerns. Seems a vulnerability to me, unless Apple are somehow managing this. Thanks again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Lettermuck: Better safe than sorry! Without seeing for myself it's hard to say for certain; however, these sound a lot like OS X Keychain dialogs. You'll get a lot of them in quick succession if you make a change and all Keychain items are not updated properly. Not long ago I ran int an issue where various Keychain items were using three different passwords (old, new, and iCloud). Very confusing.
    When in doubt, contact Apple or the developer of the app in question, as they'll know exactly what should be asking for what. :)

This discussion has been closed.