Print 19 comment(s) - last by GatoRat.. on Jul 14 at 2:54 AM

Apple says Google is also known to poorly secure its Play Store from children making in app purchases

Google Inc. (GOOG) may be next on the U.S. Federal Trade Commission's (FTC) list after Apple, Inc. (AAPL) pointed the finger at it in a January letter; the contents of which were partially revealed this week.

I. No Child Left Behind

Both companies' policy until the start of this year had been to prompt a user with a password when making a purchase.  Purchases could be made in the company's app store, or in-app via each platform's API.

You could decrease or turn off altogether this grace period via options in the settings on each platform, but few users did.  Many users were at least mildly unaware that it wasn't just an odd occurrence that their device hadn't prompted them for a password -- it was the default system behavior.

Increasingly people have started sharing their smartphones and tablets with their children as toys for learning and fun.  But for some parents, the fun was quickly over when they were shocked to find their child had purchased thousands of dollars in in-app purchases with nary a password, as they happened during the grace period following the parent's password protected purchase.

Some app makers seemed to purposefully seek to cash in on this exploit.  Beeline Interactive, Inc.'s (formerly: Capcom Interactive) Smurfs' Village, for example allows you to purchase 1,000 credits in-game for $59 USD.  Unwittingly allow your child to buy that a few dozen times, and your offspring has just committed you to pay thousands of dollars to Beeline for some new Smurf shacks.

Smurf's Village
Smurfs' Village by Beeline Interactive (formerly: Capcom Interactive)

For Apple, the problem began early on.  In Oct. 2007 late Apple CEO Steven P. Jobs softened to the idea of a "walled garden" in which third party app developers could freely offer their wares to customers.  Thus in mid-2008 the App Store was born.  In mid-2009 Apple rolled out a new feature -- in-app purchases.  A popular feature in the web gaming/PC shareware space, this offered developers an alternative monetization method.

In-app purchases were password protected, but in a fortuitous move, Apple opted to offer a 15 minute "grace" window in which users could make additional purchases after entering their password, without having to re-enter the password.  This "feature" was billed as a convenience, but it quickly became a major part of Apple's in-app purchase controversy.

iOS 3 in-app purchase
An in-app purchase in iOS 3 [Image Source: Engadget]

With iOS 3, only paid apps could offer in-app purchases.  But in 2010 iOS 4 opened the floodgates to in-app purchases of up to $99 USD in free apps.  Suddenly in-app purchases became a popular marketing tactic.  Similar to the PC shareware craze, developers would take a paid app, offer it for free, but make it essentially crippled/unplayable until the user purchased a number of in-app purchases.

As the app market began to boom in 2010, reports of these kinds of charges began to pop up, but Apple moved sluggishly to fix the "feature" which to users might be a problem, but to them offered a way to pad ther profits.  

One frustrating trend was the arbitrary allotment of refunds to those who fell victim to the exploit.  Both companies officially stated that if a parent could "prove" their child (who was not authorized to make in-app purchases) made the purchases, they might be eligible for a refund.  In some cases large charges were indeed refunded.  But Apple also argued that in-app purchases were "non-voidable" and in some cases refused to reimburse parents.  For parents stuck in this mess, the only expectation was unpredictability -- some were lucky; others not so much.

With iOS 4.3 Apple finally separated password entry for in-app purchases from password entry for App Store purchases.  The 15-minute grace period still stood, but at least now adults who had made an App Store purchase wouldn't leave their device vulnerable to their children's in-app purchase attempts.

II. Google Jumps Onboard the In-App Purchase Train

As iOS 4.3 tried to placate Apple's legion of fans with slightly tighter permissions, Google finally stepped into the in-app purchase game as well.  In Feb. 2011 Google announced Android 3.0 Honeycomb and with it an update an update to Android Marketplace (the predecessor of Google Play) allowing in-app billing/purchases.

Android Honeycomb

As Google stepped into this contentious business, Apple -- now in its second year of in-app purchases -- continued to face growing outrage.  Parents weren't satisfied with the changes made in iOS 4.3.  In March 2012 they sued Apple before the U.S. District Court for the Northern District of Calif.

Honeycomb's initial implementation was perhaps the most flagrant of all, offering users no way to turn off in-app purchases (short of manipulating and rebuilding the low-level OS).  Google remedied this somewhat with its 3.2.1 update -- which added the option in the Google Play settings to restrict in-app purchases with a PIN.  As of 2013, this was still the only effective way to explicitly prevent such actions.

Otherwise you were left at the mercy of the grace window, which much like iOS would only periodically require you to enter your password for purchases.  In Android this window was even longer - 30 minutes.

In Re Apple in-App Purchase Litigation, Case No. 5-11-CV-1758 EJD (N.D. Cal.; Mar. 31, 2012) by Venkat Balasubramani

The lawsuit did not deter yet more mobile device makers from jumping into the lucrative in-app purchases market., Inc. (AMZN) added the feature in April 2012, adding an "In-App Purchasing API" to Fire OS, its Android branch.
In-App purchases
Microsoft Corp. (MSFT) added the feature in Windows Phone 8.  Microsoft offered perhaps the most intuitive solution of sorts, offering a dedicated subenvironment -- "Kids Corner" -- for parents who gave their devices to their children.  This environment not only shut off in-app purchases by default, but also denied children access to your messages and email (another common parental headache).

Apple tried unsuccessfully to dismiss the lawsuit.  

Meanwhile incidents continued, partly because iOS -- the first player to this game -- had perhaps the most convoluted method of forcing password protection of all in-app purchases.  For users wishing to be prompted for a password every time a purchase was attempted you had to go into your Settings > General > Restrictions, set a password, then go into Settings > General > Restrictions> Allowed Content and turn the slider to in-app purchases to "off" [source].  Ironically, this didn't mean you were unable to make purchases --as it seemingly implied -- it merely meant you were prompted for a password every time in order to "reactivate" the feature temporarily.

III. Apple Didn't Wait Long After Settling to Point the Finger

Faced with the possibility of a protracted court battle and a potentially massive settlement, when punitive damages were factored in, Apple in January agreed to settle with consumers, pledging $32.5M USD for those affected.  As part of the settlement it agreed to refund 37,000+ claims by 28,000+ customers.  It also sent an email to 28 million App Store customers -- any customer who had paid for an in-app purchase in a child-aimed app.

What it did next was more controversial -- point the finger at its rival.

As amous black and white film actress Mary Pickford once said:

You may make mistakes, but you are not a failure until you start blaming someone else.

But apparently Apple's general counsel Bruce Sewell didn't take heed of that axiom.  After being grilled by the FTC and forced into the settlement Mr. Sewell sought to deflect the blame, writing a complaint letter to the FTC about its smartphone rival Google.
Apple's Sewell
Apple General Counsel Bruce Sewell

Now we've learned a bit more about his role in prodding the FTC to investigate Google following his own company's settlement over abusive sales tactics.  In a letter to FTC Chairwoman Edith Ramirez and Democratic Commissioner Julie Brill, Mr. Sewell "helpfully" pointed out that his firm's top rival also had allegedly harmed some customers with similar tactics.  Politico obtained the previously unreleased email via a Freedom of Information Act (FOIA) (5 U.S.C. § 552) filing.

In his letter he writes:

I thought this article might be of some interest, particularly if you have not already seen it.

Politico did not publish the rest of the letter or a link to the article in question.  However, many articles on abusive in-app charges from 2012 (when the problem was first widely noted) and 2013 did mention incidents with Google Play.

This isn't the first time Mr. Sewell's tactics have been the subject of controversy.  Some will recognize Mr. Sewell as the Apple attorney who orchestrated the campaign of legal threats and invasive searches of Gizmodo journalist Brian Lam's residence following an Apple employee losing an iPhone prototype.

IV. Amazon Faces FTC's Wrath, Fires Back

The tactic may actually work.

The FTC has already moved on from Apple to another mobile device maker -- Amazon.  Apparently earlier this year the FTC threatened to sue Amazon after probing it over unauthorized in-app purchases.

Amazon's General Counsel, Andrew C. Devore fired back on July 1 with a letter essentially telling the FTC to bring it on.  A copy of the letter [PDF] was obtained by The Verge.  In it he writes:

It's an understatement to say that this response is deeply disappointing.  The Commission's unwillingness to depart from the precedent it set with Apple, despite our very different facts, leaves us no choice but to defend our approach in court.

He also noted that the Amazon App Store contained "prominent notice of in-app purchasing, effective parental controls and real-time notice of every in-app purchase".  However, Amazon trails Apple and Google in that it does not offer an option to password protect against in-app purchases.  Rather, the only option available is the ability to disable in-app purchases altogether under Settings > Parental Controls in the Amazon App Store.
The FTC reportedly is demanding Amazon add password protection and offer all customers who were billed for unauthorized purchases refunds.  Amazon claims this would amount to keeping 20 years worth of records on its customers, a privacy risk.

We were unable to find any reports of Amazon being sued over in-app purchases by consumers.  However, it has been rumored to be the subject of FTC complaints (possibly from Apple, even).  Given the heated nature of the response, it appears likely that Amazon is destined to face off with the FTC in court.

V. Apple's iOS 7.1 Tightens Permissions

Meanwhile Apple is at least making good on its own pledge to change. While it still allows the grace period for password-less purchases, as part of the iOS 7.1 update released at the end of March it now puts a pop-up warning the user about the time window.  And it encourages the user to visit the settings where there's now more fine-grain controls to limit or turn off altogether the ability to purchase additional items without a password.

iOS 7.1 in-app purchase warning
[Image Source: Apple Insider]

Apple has also offered full refunds to any customer with an unauthorized in-app purchase bill of over $30 USD, under the settlement terms.

Apple's Bait App Settlement by jeff_roberts881

Those seeking refunds must contact the "Apple In-App Purchase Litigation Administrator".  The only part of the settlement that may turn somewhat rancorous is Apple's handling of refunds for customers who had unauthorized purchases under $30 USD.  Under the settlement terms Apple is not giving these customers a cash refund, but rather is giving them a $5 USD gift card.

Some may be insulted by this partial refund, but Apple argues it's not guilty anyways and only settled to avoid an expensive legal battle.

VI. Facing Class Action, Will Google Also Face FTC Lawsuit?

Google is not the subject of any current FTC probe or legal action with regards to in-app purchases.  One reason why is because its PIN protections are arguably more robust than Apple's were, prior to the recent iOS 7.1 update.

But it's also not out of the woods yet.  In March a pair of powerful law firms -- Berger & Montague, P.C. And Del Sole Cavanaugh Stroyd LLC -- filed a suit against Google seeking class action status regarding unauthorized in-app purchases.  The suit closely mirrors the one Apple faced and is filed in the same court.

Likely looking to strengthen its position and prevent further problems, a week later Google rolled out a new build of its Play Store -- v4.6.16.  The new version has somewhat finer grain controls.  In addition to the PIN, users can now pick whether to never enter their password when purchasing in-app content, only enter it the first time ever 30 minutes (the previous default), or enter it every time.  The latter option is new.

Here's the old settings:

Android in-app purchase (old)
The old store settings [Image Source: Android Police]

And here's the new one:

In-app purchase options (new)
The new settings has 3 options. [Image Source: Android Police]

Some may wish for finer grain controls (along the lines of Microsoft's Kids Corner) but Google seems confident that its new policy will hold up legally and balances convenience with security.

Source: Politico

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Real Mature
By Reclaimer77 on 7/10/2014 2:11:51 PM , Rating: 4

"But mom", said the grounded child. "Billy was doing it too!!!"

RE: Real Mature
By atechfan on 7/10/2014 3:54:53 PM , Rating: 2
As much as I'd love to take this opportunity to swipe qt Google, just for fun, I can't. I have to agree with you here. Also, I must raise a point about parental responsibility. It isn't really Google's job to control your kids on your phone.

I guess the best I can do here is point out how MS has the best system of the three with Kids Zone.

RE: Real Mature
By Reclaimer77 on 7/10/2014 4:05:27 PM , Rating: 2
I just discovered something else on my wonderful delightful work iPhone.

They REQUIRE you to give them your credit card information just to make an account. As well as all kinds of personal information like your street address and stuff. Can you believe that?

I've been using Google services for years, and they've never tried to FORCE my credit card info out of me just to make a Google account to use their services. I can even use the Play Store WITHOUT giving them my credit card info, unless I buy something of course.

That right there is a huge reason why Apple got in trouble.

RE: Real Mature
By LifeByTheHorns on 7/10/14, Rating: 0
RE: Real Mature
By Reclaimer77 on 7/10/14, Rating: 0
RE: Real Mature
By atechfan on 7/10/2014 6:00:15 PM , Rating: 2
Yep, you need some form of payment to even create an Apple ID now. I assume if you already had one from before the change was made, you would be ok. But since I don't have one, I don't know for sure.

RE: Real Mature
By tonyswash on 7/10/14, Rating: -1
RE: Real Mature
By atechfan on 7/11/2014 5:03:06 AM , Rating: 1
Well, that is useful information should I ever be forced to have an Apple ID for some reason. But you shouldn't have to install the aweful Windows iTunes software just to work around the credit card requirement on an iDevice.

RE: Real Mature
By Reclaimer77 on 7/11/2014 9:14:51 AM , Rating: 3
Way to miss the point Tony. How many people are going to actually bother to look that up, much less go through that convoluted practice?

Nope, they're just going to hand over Apple all their critical information. By default it's "required" to make an ID.

And Apple just reaps the profits of imposing the practice of forced easy purchasing.

RE: Real Mature
By Cheesew1z69 on 7/12/2014 11:03:13 AM , Rating: 2
Way to miss the point Tony.
Seems pretty common with him.

RE: Real Mature
By Solandri on 7/11/2014 4:05:17 AM , Rating: 2
I guess the best I can do here is point out how MS has the best system of the three with Kids Zone.

Technically, Android has the best system. It's based on Linux, so has the full user/group/superuser permissions built in.

Unfortunately, rather than use it to allow phone owners to create additional less-privileged accounts for their kids, Google and the carriers have just been using it to lock owners out of root access to their own phones.

RE: Real Mature
By Charley M on 7/10/2014 5:59:28 PM , Rating: 2
That was my first thought too.

RE: Real Mature
By inperfectdarkness on 7/12/2014 2:17:21 AM , Rating: 2
There's an easier fix:

Buy your kid a Nintendo DS & never let them lay a finger on your smartphone/tablet.

By GotThumbs on 7/10/2014 2:42:38 PM , Rating: 3
The complaints were against Apple.

Now scum-sucking lawyers/sharks are circling around to attack Google and fill their pockets. No mention of any customers reaching out first. It's the lawyers looking for clients and a big pay-day for themselves.

Apple will smiling behind the parents (FTC) back, like a spoiled child.

Our society really is sinking fast.

That's one way to look at it
By amanojaku on 7/10/2014 3:10:10 PM , Rating: 3
In Oct. 2007 late Apple CEO Steven P. Jobs softened to the idea of a "walled garden" in which third party app developers could freely offer their wares to customers.
Another way to look at it is Jobs softened to the idea of the OS and hardware vendor collecting 30% of every 3rd party application sale, something unheard of until the iPhone. If MS had tried that it would have been broken up Ma Bell-style.

By drycrust3 on 7/10/2014 5:19:11 PM , Rating: 2
In case anyone is wondering, this setting isn't in the usual settings on your Android phone, it is part of Play Store, so you need to open Play Store and then hit the Play Store icon (the carry bag with a triangle on it) at the top left, then select "SETTINGS" at the bottom of the drop down list.

That's a lot of words about nothing
By ptmmac on 7/11/2014 11:27:41 AM , Rating: 2
Did Google make in app purchasing too easy? If they did then the complaint is factual. What else matters?

Good luck suing Google over this...
By jnemesh on 7/11/2014 2:54:00 PM , Rating: 2
I am the only user on my Android devices, but I still have both my phone and my tablet set to require a password for EVERY purchase! It prevents me from accidentally purchasing anything...and just in case someone else uses my device, it makes sure that no one but me charges things to my credit card!

I don't know how you could possibly sue someone for old, or outdated software...once they address the problem, it's fixed. Amazon's issue is that they didn't have the option of requiring passwords to restrict purchases billed to the Amazon account, and THAT is why they are in hot water. Google doesn't have this problem.

Apple's solution is stupid
By GatoRat on 7/14/2014 2:54:00 AM , Rating: 2
Why just "Settings" and "OK"? Why not add "No"? Easy; they really want you to make more purchases, even if by accident.

"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki