Upon first launch, Sunrise invites you to create an account, then asks you to add a calendar. The first option, “iCloud Calendar”, brings you to a screen where the Sunrise app itself, in its native interface and code, solicits your Apple ID (iCloud) email address and password.
These credentials are then passed along to their servers, according to their response to this issue:
When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL.
On Thursday, they announced a new version that uses a local method to generate the iCloud token, so your credentials are never sent out at all. You could make the argument that they should never have been transmitted in the first place, but I have to hand it to the Sunrise team in that they heard the outcry, and fixed it. I’ve actually emailed their support email about other issues before, and gotten a direct response from Pierre, their CEO.
Great app, good people behind it, great price… get it now before they wise up and start charging what it’s actually worth.