To paraphrase: “It lets us do cool stuff.”
I don’t think that’s a valid justification for a young company that has already had a security scare to ask for a high-security username and password that many people tie to their entire online lives and the security of all of the files on their computers.
Oh, and they do transmit them to the server, rather than getting an authentication token on-device:
When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.
This is better than storing your password in their database, but it’s still not very secure by modern standards: they’re still taking on the responsibility of transmitting it securely from the app, receiving it securely on the servers, sending it back to Apple securely to get a token, ensuring no tools, proxies, or analytics are caching or logging it along the way, and ensuring that their servers aren’t quietly hacked and nobody’s monitoring the application to capture the credentials in flight.
Many readers have blamed Apple for this, mostly because the lack of official iCloud APIs and support for OAuth (or a similar scheme). I agree. But the ideal “Apple way” isn’t to do something really horribly until they have time and motivation to “do it right” — it’s not to do it at all.
It’s better not to permit apps to access customers’ iCloud account at all (beyond the official, secure APIs) than to allow any app to collect them insecurely and do whatever they want with them.
Regardless of whether you agree that this is Apple’s fault, it will definitely be Apple’s problem when an app like this has a security breach that compromises hundreds of thousands — maybe millions — of Apple IDs.