Rohdesign

July 9, 2010

PlayMesh Fishies App Story: iTunes Password Caching

UPDATE July 10, 2010 3:00 PM

My article about issues the iPhone app Fishies has brought up some good discussion about in-app purchases and what turns out to be an opaque iTunes system that caches usernames and passwords when users may not realize it.

I've heard background info on the way iTunes deals with in-app purchases from other iOS developers and a personal note from Eric, a founder at PlayMesh and wanted to set the record straight about what happened.

First, I want to apologize to PlayMesh.

As a parent, I was angered yesterday at what seemed like an unauthorized purchase of virtual currency in their app, Fishies. This has turned out NOT to be the case. PlayMesh is no different than any other iOS app developer using in-app purchases.

Rather, this was all a result of iTunes storing my username and password from a prior purchase for in-app purchases in Fishies.

Now one might argue that $149.99 in virtual currency or objects of any kind are just nuts. I would agree with you, but that's is a separate subject from how items like this could be purchased as in-app add-ons.

This is an issue with any iOS app that uses an in-app purchasing model, because iTunes stores your username and password, which is subsequently available for in-app purchases, even if you don't know it.

A Reply from PlayMesh

Eric from PlayMesh contacted me today about my experience and had good reference to share from their perspective on the topic of in-app purchases.

Eric writes:

We built Fishies with the intention of making it a free to play game and we would sell a few virtual goods to help sustain it's own costs. We happily adopted Apple's in-app purchase system because we believed it to be the most friction-free experience for our users who do choose to support us financially by buying some virtual goods.
That being said we have indeed noticed that there are several users whose experience has mimicked yours. We have pinned it down to the fact that iTunes usually caches your iTunes account login for some amount of time after you are been prompted for it. So usually what will happen, is that a parent with download Fishies and give it to their kid to play with it right after they download.

Afterward, their kid will go get a few in-app purchases (usually including the $149 option) and never get prompted for a password. Unfortunately, this part of the system is almost entirely controlled by Apple, we're simply plugging into their API.

That's precisely my experience from yesterday and it appears to be a flaw/feature in the iTunes system. After helpful discussion and feedback from developers @NeoNacho @manton @NattyLux and @@felttipsoft that iTunes was storing my username and password for 15 minutes after my initial app purchase, which allowed purchases in Fishies without any login prompts.

It's not at all fair to iOS developers, as they are simply using the system Apple provides. When users have purchases made unknowingly, they blame the developers without realizing it's really the iTunes system of caching credentials that's at fault here.

Manton Reece on iTunes password caching

Manton Reece, a developer of Mac and iOS software today wrote the article iTunes password caching on his blog. Here's an except:

What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn't ask for a password, the app happily let him make all the purchases.
I doubt the developer of this app did anything wrong. A reasonable argument could be made that iTunes should either not cache passwords at all, or keep a separate cache for app downloads vs. in-app purchases, or maybe always prompt for a password on in-app purchases. My kids and other kids I know have also used this backdoor trick to sneak a couple app downloads, but usually it's a few bucks, not $190. Consumable virtual items (that you can keep buying over and over) make this problem much worse.

Manton is right — though the Fishies app was downloaded free several weeks ago, which made it even harder to see the connection between buying a racing game at 10:30 AM and getting multiple large in-app purchases from Fishies at 10:45.

This is the real issue — users don't realize their credentials, with full purchasing power are floating around in iOS, available to apps for in-app purchasing.

In my view, any in-app purchase should at least require an initial re-entry of username and password to initiate a purchase in the app.

Cached credentials from prior purchases ought not be available within app, unless I specifically opt-into that feature by manually changing preferences.

Buried iOS Restrictions Prefs

This brings me to another aspect of the story that might have prevented problems all-together — the restrictions preferences in iOS under Settings > General > Restrictions on iPad/iPhone/iPod touch devices.

When activated, in-app purchases can be turned off, but this preference is not made very apparent for the average user and is very well buried in the Settings area.

Why not set in-app purchase preferences to OFF and let the user opt-in when purchasing in-app goods?

Still, even if this preference were activated, requiring apps to get a username/password entered for the initial in-app purchase — rather than using cached credentials — would have stopped our inadvertent purchases.

So it comes to this: iTunes caches my credentials once entered for frictionless convenience, but it's not apparent to me as a user that this is the case until I have a $190 bill I didn't want. This is a problem that Apple needs to deal with.

So, with all that said, you can now read my story below, with updates and changes to the text in light of what I now know now about iTunes, credentials, in-app purchases and PlayMesh:

Friday, June 9, 2010 10:00 PM

I'm angry.

I'm burning with a white hot passion to tell the story of iTunes enabling unintended charges of $190 worth of virtual currency in the iPhone app, Fishies from PlayMesh.

This is a cautionary tale about the dangers of iPad/iPhone apps and in-app purchasing.

This will be a long post, so hang on.

Today, iTunes enabled inadvertent in-app currency purchases via my 7 year old son, while he played the PlayMesh Fishies app on our iPad.

Read that again — from my 7 year old son.

It Started with a Free App

The story starts when we downloaded PlayMesh Fishies from the iTunes app store for Nathan to play with. It seemed innocent enough — a free iPhone app that let him create a virtual fish tank. Looked like fun.

When Nathan called me over, asking if he could buy some pearls for his new fish tank to get more items, I hesitated.

They were asking for our iTunes username and password. No way! I didn't want any part of their virtual pearls currency, thank you very much!

I asked Nathan if he could just sell some items to get other items, that's when he told me the app crashed every time he tried to do that. I tried to sell something, sure enough — crashes every time!

I looked at the iTunes reviews for Fishies and saw posts from users claiming to have bought things in-app and not getting them as promised.

I decided not to purchase any in-app items and thought there was nothing more to do.

Shocked by a $153.97 Purchase of Virtual Pearls

Fast forward to today — we purchased a racing app and while it downloaded to our iPad, Nathan fired up Fishies to pass the time.

"Hey dad! There are all sorts of pearls and items in Fishies today, isn't that cool? I wonder where they came from?"

I glanced over and saw the iPad screen and mentioned that the developers must have made an app upgrade to get the app working again.

Then I received an email from iTunes, opened it up and...

WHAT? A $153.97 BILL FOR FISHIES PEARLS?!!

I immediately told Nathan to shut the app down and ask him if he had clicked any windows to purchase anything: he said no.

I wouldn't have mattered if he had though, as in-app purchases OUGHT to require a username and password — and Nathan doesn't know it either.

What the heck was going on?

I immediately went to iTunes and saw the damage - multiple chests of virtual pearls for the Fishies app, escalating in value: $0.99... $1.99... $149.99!

$153.97 in inadvertent purchases from PlayMesh Fishies!

Time to Complain

I emailed iTunes support with a complaint immediately, but I also noticed in the iTunes terms that all sales are final. No refunds.

I sent PlayMesh support an angry email, demanding a refund for these unauthorized purchases.

Then I called PayPal and they were very helpful, but as it turns out, all they can do is dispute all transactions from iTunes — they can't do it for past purchases on my PayPal debit and they can't dispute specific purchases from iTunes.

ARRRGGGGGG!!

So I have another look at my iTunes account and guess what? The day we downloaded Fishies and Nathan played with it (that day he wanted to buy things in the app?) they charged us $37 for virtual pearls.

Greaaat. $190 for in-app purchases for Fishies I didn't even know were made.

Can you tell I'm livid?

I thought so.

And I'm not alone as it turns out:

The Sun: Alec McSalley charged £485 to play iPhone game

A FURIOUS dad told last night how £485 mysteriously vanished from his bank account after playing a simple game on his iPhone.

My iTunes Account Was Hacked for $375—By My Own Kids by Kevin Tofel on BusinessWeek:

As this past weekend included the Fourth of July holiday, I expected to see plenty of red, white, and blue. Unfortunately, all I experienced was red when, on Saturday, I noticed three unfamiliar iTunes transactions totaling more than $375.

Lock down your restrictions in the Settings of your iOS device and be aware that once your username and password are entered into the iTunes store for purchases, it hangs in cache for 15 minutes.

I've learned the hard way, hopefully you won't have to.

Update: Friday July 9th 12:40 AM

Wow! I mentioned this post on Twitter and it's been re-tweeted like crazy — first by Mac and iPhone developer Daniel Jalkut @danielpunkass and then a variety of other people. I think this story has touched a nerve. I hope it saves others from this hassle.

I've also learned through tweets and emails tonight, that Paul Thurrott's kids were also hit by a similar issue for in-app purchases for a whopping $880! He was able to call Apple and have the charges refunded, so Saturday I'm going to call Apple support for the iPad we had issues on to see what I can do.

Hear Paul and Leo LaPorte discuss the story on Windows Weekly 162 at about 1:02:15 into the podcast (MP3) Thanks Mike, Paolo and Michael! for the tips!

Update: Saturday July 10th 10:00 AM

I took Paul Thurrott's advice from the podcast above and called Apple via the iPad support line — worked great.

The Apple support agent was as surprised as I was about the situation. He thought it was odd that in-app purchases happened without an iTunes username and password.

Apple refunded the largest $153.97 purchase.

They would only refund one day's purchases in Fishies.

I asked the Apple rep if iTunes one-click caching works with in-app purchases. He said iTunes requires username/password entry for every in-app purchase.

As it turns out, iTunes and the caching of my username and password were indeed to blame for these inadvertent in-app purchases.

What about restrictions preferences on the iPad itself?

on Twitter asked if I had set the Settings > General > Restrictions in the iPad to turn off in-app purchases. I hadn't realized this needed attention and hadn't disabled in-app purchases.

Still, even with the restrictions left at default (on) for in-app purchases, it doesn't explain how Fishies could have enacted in-app purchases without entry of my username and password.

I replied:

@NeoNacho iPad restrictions weren't set - but @SnappyTouch says each in-app purchase requires a username & pw which my son doesn't know.

NeoNacho says:

@rohdesign The password is definitely cached for a while. If you typed it in for getting the app and didn't lock in between, that's why.

My reply:

@NeoNacho Interesting explanation. I would have thought there's a barrier to cached un/pw when moving inside of an app. That's scary if so.

And it's exactly what happened. My username and password were stored in iTunes and used by Nathan, without me realizing it, to inadvertently buy pearls inside the app Fishies.

This seems to me a very dangerous approach by Apple.

Permalink | iPad | add to del.icio.us

June 22, 2010

Tour de France 2010 Resources

Since 2003, I've maintained an updated collection of Tour de France information, here is that list for 2010.

I'm currently checking through the links below, so if you find a bad link or have one to suggest, please send me an email with "TDF" in the subject line.

Thanks!

Mike

Podcasts

Books

Tour Fever by J.P. Partland
Tour de France Quiz Book by John DT White (For trivia lovers!)

Web & Mobile Apps

Versus Live TDF Tracker iPhone App (US & Canada) Live video and more. $14.99 LeTour 2010 (Palm) Free
Ubilabs RdF Live Tracker
NOS TdF Twitter Feed Aggregator
NOS TdF Gadgets
BlueFlavor Leaflets: Le Tour de France

Widgets

NOS - Tour de France (Mac OS X)
Team Garmin Tour Guide (Adobe Air)

Photos

Graham Watson's Tour Photos
Sean Jawn's Tour Photos
Team Garmin Flickr Photostream
Flickr Photos Tagged "tourdefrance"

Miscellaneous

Topographic maps of Tour de France stages

SUGGESTIONS?

If you have resources to share: websites, blogs. etc., please let me know, so I can keep this list updated. Send me an email with "TDF" in the subject line.

Enjoy!

Permalink | Cycling | add to del.icio.us

June 20, 2010

iPad Observations

iPad I've had a 3G iPad for a bit over a month now and though it would be good to capture some observations of the device, software and how I've found it useful.

• I find the iPad most useful and pleasant as a reading device using Instapaper for saved articles, NewsRack and Reeder for RSS and Kindle Reader for books. I still read RSS feeds with my iPhone but there's something pleasing about the larger screen that makes reading a joy on the iPad.

• Battery life is a killer feature. It's unusual to see the battery go low, though vie learned that the 10 watt charger is key — iPhone chargers simply don't have the oomph to charge the iPad, even though they will at least maintain the current charge level.

• Browsing is also very well suited to the iPad. This Friday I had to do some sketching for a logo project and decided to take only my iPad, sketchbook and pencils to the cafe. It was perfect device to reference my Basecamp projects, search for reference images in Google and playing music in iTunes and Pandora.

• I've enjoyed the Netflix and ABC Player apps — watching movies on an iPad is nicely intimate and not cumbersome as it always feels with my MacBook.

• Drawing works well on the iPad with a variety of useful drawing apps. I especially enjoy Adobe Ideas, Sketchbook Pro and Penultimate. The biggest issues are stylus options. I have the Pogo Sketch stylus and it works, but feels like drawing with a mushy pea on a stick. I've heard good things about the Dagi stylus but haven't bought one yet. I hope more, better styli appear over time that feel like actual pens and pencils.

• it's heavy and that's a plus and minus. On the downside it can be awkward to hold up in bed for extended periods, but that weight also gives me the sense that an iPad is a substantive device. It certainly feels well made.

• Using the USB adapter from the photo connection kit works well with my wired USB Apple keyboard, though the Apple Bluetooth Keyboard is one item I think will make the iPad a more useful as a writing device for me.

Those are just a few thoughts — I'll post more here as I think of them.