This Week's Sponsor:

Winterfest 2024

The Festival of Artisanal Software

App Store Password Caching Causing Unintentional Purchases?

So you have a kid right? Then I’m sure you’ve done this a lot or have had this happen at least once: You download an innocent game to keep them busy, handed them your iPhone, and let them have at it. The kids get carried away, and you wake up the next morning to a bank alert claiming you’ve incurred $300 in App-app purchases. This leads to a few nasty emails sent to Apple and the developer, claiming fraudulent charges and demanding your money back.

But just so you know, developers aren’t trying to screw you over. Apple has an odd API concerning purchases and password caching. While you probably realize that Apple gives you the opportunity to purchase multiple items in the store so you don’t have to keep entering your password, you might not have realized that this caching translates to in-app purchases as well.

The drama of Mike Rhode concludes with such a realization. Rhode buys a simple fish game, his kid purchases a ton of virtual gunk, and suddenly there’s some ridiculous charges for virtual pearls. Angry, Rhodes demanded his money back. While he was partially refunded, the developer of the game wrote back:

“That being said we have indeed noticed that there are several users whose experience has mimicked yours. We have pinned it down to the fact that iTunes usually caches your iTunes account login for some amount of time after you are been prompted for it. So usually what will happen, is that a parent with download Fishies and give it to their kid to play with it right after they download.

Afterward, their kid will go get a few in-app purchases (usually including the $149 option) and never get prompted for a password. Unfortunately, this part of the system is almost entirely controlled by Apple, we’re simply plugging into their API.”

Manton Reece confirmed this behavior in a recent blog post, which John Gruber attributes in a recent Daring Fireball link.

What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn’t ask for a password, the app happily let him make all the purchases.

I doubt the developer of this app did anything wrong.

Before you hand off your iPhone to your kid, just be aware of what can happen when they attempt to purchase virtual goodies without understanding the consequences.

[Rohdesign and Manton Reece via Daring Fireball]

Join

Access Extra Content and Perks

Founded in 2015, Club MacStories has delivered exclusive content every week for nearly a decade.

What started with weekly and monthly email newsletters has blossomed into a family of memberships designed every MacStories fan.

Learn more here and from our Club FAQs.

Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with apps, tips, automation workflows, longform writing, early access to the MacStories Unwind podcast, periodic giveaways, and more;

Club MacStories+: Everything that Club MacStories offers, plus an active Discord community, advanced search and custom RSS features for exploring the Club’s entire back catalog, bonus columns, and dozens of app discounts;

Club Premier: All of the above and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.

Former MacStories contributor.

[email protected]