This Week's Sponsor:

Kolide

Ensure that if a device isn’t secure it can’t access your apps.  It’s Device Trust for Okta.

App Store Password Caching Causing Unintentional Purchases?

So you have a kid right? Then I’m sure you’ve done this a lot or have had this happen at least once: You download an innocent game to keep them busy, handed them your iPhone, and let them have at it. The kids get carried away, and you wake up the next morning to a bank alert claiming you’ve incurred $300 in App-app purchases. This leads to a few nasty emails sent to Apple and the developer, claiming fraudulent charges and demanding your money back.

But just so you know, developers aren’t trying to screw you over. Apple has an odd API concerning purchases and password caching. While you probably realize that Apple gives you the opportunity to purchase multiple items in the store so you don’t have to keep entering your password, you might not have realized that this caching translates to in-app purchases as well.

The drama of Mike Rhode concludes with such a realization. Rhode buys a simple fish game, his kid purchases a ton of virtual gunk, and suddenly there’s some ridiculous charges for virtual pearls. Angry, Rhodes demanded his money back. While he was partially refunded, the developer of the game wrote back:

“That being said we have indeed noticed that there are several users whose experience has mimicked yours. We have pinned it down to the fact that iTunes usually caches your iTunes account login for some amount of time after you are been prompted for it. So usually what will happen, is that a parent with download Fishies and give it to their kid to play with it right after they download.

Afterward, their kid will go get a few in-app purchases (usually including the $149 option) and never get prompted for a password. Unfortunately, this part of the system is almost entirely controlled by Apple, we’re simply plugging into their API.”

Manton Reece confirmed this behavior in a recent blog post, which John Gruber attributes in a recent Daring Fireball link.

What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn’t ask for a password, the app happily let him make all the purchases.

I doubt the developer of this app did anything wrong.

Before you hand off your iPhone to your kid, just be aware of what can happen when they attempt to purchase virtual goodies without understanding the consequences.

[Rohdesign and Manton Reece via Daring Fireball]

Join

Unlock More with Club MacStories

Founded in 2015, Club MacStories has delivered exclusive content every week for over six years.

In that time, members have enjoyed nearly 400 weekly and monthly newsletters packed with more of your favorite MacStories writing as well as Club-only podcasts, eBooks, discounts on apps, icons, and services. Join today, and you’ll get everything new that we publish every week, plus access to our entire archive of back issues and downloadable perks.

The Club expanded in 2021 with Club MacStories+ and Club Premier. Club MacStories+ members enjoy even more exclusive stories, a vibrant Discord community, a rotating roster of app discounts, and more. And, with Club Premier, you get everything we offer at every Club level plus an extended, ad-free version of our podcast AppStories that is delivered early each week in high-bitrate audio.

Choose the Club plan that’s right for you:

  • Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with app collections, tips, automation workflows, longform writing, a Club-only podcast, periodic giveaways, and more;
  • Club MacStories+: Everything that Club MacStories offers, plus exclusive content like Federico’s Automation Academy and John’s Macintosh Desktop Experience, a powerful web app for searching and exploring over 6 years of content and creating custom RSS feeds of Club content, an active Discord community, and a rotating collection of discounts, and more;
  • Club Premier: Everything in from our other plans and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.

Former MacStories contributor.

cody@macstories.net