Sunrise, in response to media inquiries, said that they do not store your actual credentials on their server, but instead a token created from them.
When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.In addition, they gave the following reason for requesting them in the first place (paraphrased by Marco.org):
It lets us do cool stuff.At least they are not storing data on your device in the clear, like some applications we know, right?
Still, all this back and forth means that Sunrise has to be secure when it gets the information from your device, when it sends it to Apple, and when it stores it on its servers. That's still not all that comforting, especially when the company has already had a security scare, and only two months ago, too.
How much damage could someone do with this information? One need only read the cautionary tale of how such a break-in led to the destruction of Wired writer Matt Honan's digital life to see how much havoc this could wreak.
Notably, it does not appear there are explicit App Store review board rules against this sort of thing. Of course, Apple could change this.