UPDATE July 10, 2010 3:00 PM
My article about issues the iPhone app Fishies has brought up some good discussion about in-app purchases and what turns out to be an opaque iTunes system that caches usernames and passwords when users may not realize it.
I've heard background info on the way iTunes deals with in-app purchases from other iOS developers and a personal note from Eric, a founder at PlayMesh and wanted to set the record straight about what happened.
First, I want to apologize to PlayMesh.
As a parent, I was angered yesterday at what seemed like an unauthorized purchase of virtual currency in their app, Fishies. This has turned out NOT to be the case. PlayMesh is no different than any other iOS app developer using in-app purchases.
Rather, this was all a result of iTunes storing my username and password from a prior purchase for in-app purchases in Fishies.
Now one might argue that $149.99 in virtual currency or objects of any kind are just nuts. I would agree with you, but that's is a separate subject from how items like this could be purchased as in-app add-ons.
This is an issue with any iOS app that uses an in-app purchasing model, because iTunes stores your username and password, which is subsequently available for in-app purchases, even if you don't know it.
A Reply from PlayMesh
Eric from PlayMesh contacted me today about my experience and had good reference to share from their perspective on the topic of in-app purchases.
We built Fishies with the intention of making it a free to play game and we would sell a few virtual goods to help sustain it's own costs. We happily adopted Apple's in-app purchase system because we believed it to be the most friction-free experience for our users who do choose to support us financially by buying some virtual goods.
That being said we have indeed noticed that there are several users whose experience has mimicked yours. We have pinned it down to the fact that iTunes usually caches your iTunes account login for some amount of time after you are been prompted for it. So usually what will happen, is that a parent with download Fishies and give it to their kid to play with it right after they download.
Afterward, their kid will go get a few in-app purchases (usually including the $149 option) and never get prompted for a password. Unfortunately, this part of the system is almost entirely controlled by Apple, we're simply plugging into their API.
That's precisely my experience from yesterday and it appears to be a flaw/feature in the iTunes system. After helpful discussion and feedback from developers @NeoNacho @manton @NattyLux and @@felttipsoft that iTunes was storing my username and password for 15 minutes after my initial app purchase, which allowed purchases in Fishies without any login prompts.
It's not at all fair to iOS developers, as they are simply using the system Apple provides. When users have purchases made unknowingly, they blame the developers without realizing it's really the iTunes system of caching credentials that's at fault here.
Manton Reece on iTunes password caching
Manton Reece, a developer of Mac and iOS software today wrote the article iTunes password caching on his blog. Here's an except:
What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn't ask for a password, the app happily let him make all the purchases.
I doubt the developer of this app did anything wrong. A reasonable argument could be made that iTunes should either not cache passwords at all, or keep a separate cache for app downloads vs. in-app purchases, or maybe always prompt for a password on in-app purchases. My kids and other kids I know have also used this backdoor trick to sneak a couple app downloads, but usually it's a few bucks, not $190. Consumable virtual items (that you can keep buying over and over) make this problem much worse.
Manton is right — though the Fishies app was downloaded free several weeks ago, which made it even harder to see the connection between buying a racing game at 10:30 AM and getting multiple large in-app purchases from Fishies at 10:45.
This is the real issue — users don't realize their credentials, with full purchasing power are floating around in iOS, available to apps for in-app purchasing.
In my view, any in-app purchase should at least require an initial re-entry of username and password to initiate a purchase in the app.
Cached credentials from prior purchases ought not be available within app, unless I specifically opt-into that feature by manually changing preferences.
Buried iOS Restrictions Prefs
This brings me to another aspect of the story that might have prevented problems all-together — the restrictions preferences in iOS under Settings > General > Restrictions on iPad/iPhone/iPod touch devices.
When activated, in-app purchases can be turned off, but this preference is not made very apparent for the average user and is very well buried in the Settings area.
Why not set in-app purchase preferences to OFF and let the user opt-in when purchasing in-app goods?
Still, even if this preference were activated, requiring apps to get a username/password entered for the initial in-app purchase — rather than using cached credentials — would have stopped our inadvertent purchases.
So it comes to this: iTunes caches my credentials once entered for frictionless convenience, but it's not apparent to me as a user that this is the case until I have a $190 bill I didn't want. This is a problem that Apple needs to deal with.
So, with all that said, you can now read my story below, with updates and changes to the text in light of what I now know now about iTunes, credentials, in-app purchases and PlayMesh:
Friday, June 9, 2010 10:00 PM
This is a cautionary tale about the dangers of iPad/iPhone apps and in-app purchasing.
This will be a long post, so hang on.
Today, iTunes enabled inadvertent in-app currency purchases via my 7 year old son, while he played the PlayMesh Fishies app on our iPad.
Read that again — from my 7 year old son.
It Started with a Free App
The story starts when we downloaded PlayMesh Fishies from the iTunes app store for Nathan to play with. It seemed innocent enough — a free iPhone app that let him create a virtual fish tank. Looked like fun.
When Nathan called me over, asking if he could buy some pearls for his new fish tank to get more items, I hesitated.
They were asking for our iTunes username and password. No way! I didn't want any part of their virtual pearls currency, thank you very much!
I asked Nathan if he could just sell some items to get other items, that's when he told me the app crashed every time he tried to do that. I tried to sell something, sure enough — crashes every time!
I looked at the iTunes reviews for Fishies and saw posts from users claiming to have bought things in-app and not getting them as promised.
I decided not to purchase any in-app items and thought there was nothing more to do.
Shocked by a $153.97 Purchase of Virtual Pearls
Fast forward to today — we purchased a racing app and while it downloaded to our iPad, Nathan fired up Fishies to pass the time.
"Hey dad! There are all sorts of pearls and items in Fishies today, isn't that cool? I wonder where they came from?"
I glanced over and saw the iPad screen and mentioned that the developers must have made an app upgrade to get the app working again.
Then I received an email from iTunes, opened it up and...
WHAT? A $153.97 BILL FOR FISHIES PEARLS?!!
I immediately told Nathan to shut the app down and ask him if he had clicked any windows to purchase anything: he said no.
I wouldn't have mattered if he had though, as in-app purchases OUGHT to require a username and password — and Nathan doesn't know it either.
What the heck was going on?
I immediately went to iTunes and saw the damage - multiple chests of virtual pearls for the Fishies app, escalating in value: $0.99... $1.99... $149.99!
$153.97 in inadvertent purchases from PlayMesh Fishies!
Time to Complain
I emailed iTunes support with a complaint immediately, but I also noticed in the iTunes terms that all sales are final. No refunds.
I sent PlayMesh support an angry email, demanding a refund for these unauthorized purchases.
Then I called PayPal and they were very helpful, but as it turns out, all they can do is dispute all transactions from iTunes — they can't do it for past purchases on my PayPal debit and they can't dispute specific purchases from iTunes.
So I have another look at my iTunes account and guess what? The day we downloaded Fishies and Nathan played with it (that day he wanted to buy things in the app?) they charged us $37 for virtual pearls.
Greaaat. $190 for in-app purchases for Fishies I didn't even know were made.
Can you tell I'm livid?
I thought so.
And I'm not alone as it turns out:
A FURIOUS dad told last night how £485 mysteriously vanished from his bank account after playing a simple game on his iPhone.
My iTunes Account Was Hacked for $375—By My Own Kids by Kevin Tofel on BusinessWeek:
As this past weekend included the Fourth of July holiday, I expected to see plenty of red, white, and blue. Unfortunately, all I experienced was red when, on Saturday, I noticed three unfamiliar iTunes transactions totaling more than $375.
Lock down your restrictions in the Settings of your iOS device and be aware that once your username and password are entered into the iTunes store for purchases, it hangs in cache for 15 minutes.
I've learned the hard way, hopefully you won't have to.
Update: Friday July 9th 12:40 AM
Wow! I mentioned this post on Twitter and it's been re-tweeted like crazy — first by Mac and iPhone developer Daniel Jalkut @danielpunkass and then a variety of other people. I think this story has touched a nerve. I hope it saves others from this hassle.
I've also learned through tweets and emails tonight, that Paul Thurrott's kids were also hit by a similar issue for in-app purchases for a whopping $880! He was able to call Apple and have the charges refunded, so Saturday I'm going to call Apple support for the iPad we had issues on to see what I can do.
Update: Saturday July 10th 10:00 AM
I took Paul Thurrott's advice from the podcast above and called Apple via the iPad support line — worked great.
The Apple support agent was as surprised as I was about the situation. He thought it was odd that in-app purchases happened without an iTunes username and password.
Apple refunded the largest $153.97 purchase.
They would only refund one day's purchases in Fishies.
I asked the Apple rep if iTunes one-click caching works with in-app purchases. He said iTunes requires username/password entry for every in-app purchase.
As it turns out, iTunes and the caching of my username and password were indeed to blame for these inadvertent in-app purchases.
What about restrictions preferences on the iPad itself?
on Twitter asked if I had set the Settings > General > Restrictions in the iPad to turn off in-app purchases. I hadn't realized this needed attention and hadn't disabled in-app purchases.
Still, even with the restrictions left at default (on) for in-app purchases, it doesn't explain how Fishies could have enacted in-app purchases without entry of my username and password.
@NeoNacho iPad restrictions weren't set - but @SnappyTouch says each in-app purchase requires a username & pw which my son doesn't know.
@rohdesign The password is definitely cached for a while. If you typed it in for getting the app and didn't lock in between, that's why.
@NeoNacho Interesting explanation. I would have thought there's a barrier to cached un/pw when moving inside of an app. That's scary if so.
And it's exactly what happened. My username and password were stored in iTunes and used by Nathan, without me realizing it, to inadvertently buy pearls inside the app Fishies.
This seems to me a very dangerous approach by Apple.
FarmVille Fraud - Similar experiences with the FarmVille app for the iPhone.
How A "Free" iPhone Game Suckered Me Out Of $190* - SAI version of this article.