security

Why do you need my iCloud credentials?

keychain-300x300

With a recent scare from a calendaring app called Sunrise brought to everyone’s attention by John Gruber and Marco Arment, it seems many are not clear why 2Do needs their iCloud credentials too and what it does with it. This article is meant to clarify a few things. Bear in mind though, 2Do only requires this when synchronizing 2Do with Reminders over CalDAV (and so this does not apply to other supported sync methods).

Apple has made vast improvements on Reminders / Calendar and iCloud in these past few years. What was once a side-feature of iCal transformed into what is now ‘Reminders’. But long before all this happened, 2Do became the first iOS task manager to fully support direct synchronization with iCal and Mobile Me (what later transformed into iCloud in a broader sense) by supporting the CalDAV protocol. This kept 2Do highly functional and flexible as it was able to now synchronize with other personal and enterprise devices using these services.

In order to do this however, 2Do acts like a typical 3rd party CalDAV client (like iCal, Outlook etc). It uses your credentials to connect to Apple’s iCloud servers directly over a secure connection, in order to keep 2Do’s local data synchronized with that in the cloud. The login and password itself are stored in the System Keychain. At no point in time does 2Do establish any connection with any other service / server. All data stored on your phone and in the cloud belongs to you, is managed by yourself and is completely inaccessible by any 3rd party (including our staff).

Apple now also (finally) supports two-step verification, which means you can now create app-specific passwords. This way, the password you use in a 3rd party app is tied to that app alone, and the 3rd party in question has no way of accessing your iCloud account in normal circumstances even if they somehow got hold of this password. We would highly recommend you switch to two-step verification in order to increase security around your iCloud account. If and when you do, simply change the password you use in 2Do to use the new account and you’re all set.

It’s worth mentioning that we have no servers that 2Do connects to. ‘Push’ notifications you receive are in fact ‘local’, i.e. information related to your tasks are stored locally on your device and alerts are generated by the System. Unlike some apps / services, 2Do does not use your account details in order to ‘help’ you with email alerts and reminders. We take security seriously and for this reason do not offer our own Sync solution. Your data is as safe as the rest of your information stored in iCloud.

In case you’re interested, here’s a bit more background: The first update we pushed out with CalDAV sync support in fact asked users to enter their ‘iCloud Login’ details. Reminders / Mobile Me Sync was the only sync method we supported at that time. This was immediately picked up by Apple and we were prevented from publishing our update to the App Store. After a number of emails and phone calls with management at Apple, it was decided that until and unless it was made absolutely clear that 2Do used CalDAV directly from within the app, in addition to supporting other generic CalDAV services, they would not allow this. At that point we actually had to delay the update for a couple of months in order to add support for a number of other CalDAV services, namely: Yahoo! Calendar & Custom hosted Mac OS X iCal Servers. We also had to change the name to ‘Reminders Sync (CalDAV)’ in order to avoid confusion and change the way the setup screen looked. To the user it was now more of a ‘Pick from a number of supported CalDAV Services’ and ‘Enter credentials’. The store’s description also had to be updated to reflect support for CalDAV.

So why don’t we simply support the built-in Reminders Sync feature that was made available to developers some time ago? The main reason is lack of meta-data storage per task. Plus we get to support Siri for free (tasks added using Siri make their way into 2Do via CalDAV sync). 2Do adds a lot of value on top of the simple Tasks you see in Reminders. In order to ensure all information is synchronized correctly across various devices, we would need to store extra meta-data that the built-in Reminders SDK does not currently support. Once this feature is made available, we will look into supporting Reminders Sync directly. We may still never replace our current implementation using CalDAV as this will later be expanded in order to support other popular CalDAV servers.