backtop


Print

Apple says Google is also known to poorly secure its Play Store from children making in app purchases

Google Inc. (GOOG) may be next on the U.S. Federal Trade Commission's (FTC) list after Apple, Inc. (AAPL) pointed the finger at it in a January letter; the contents of which were partially revealed this week.

I. No Child Left Behind

Both companies' policy until the start of this year had been to prompt a user with a password when making a purchase.  Purchases could be made in the company's app store, or in-app via each platform's API.

You could decrease or turn off altogether this grace period via options in the settings on each platform, but few users did.  Many users were at least mildly unaware that it wasn't just an odd occurrence that their device hadn't prompted them for a password -- it was the default system behavior.

Increasingly people have started sharing their smartphones and tablets with their children as toys for learning and fun.  But for some parents, the fun was quickly over when they were shocked to find their child had purchased thousands of dollars in in-app purchases with nary a password, as they happened during the grace period following the parent's password protected purchase.

Some app makers seemed to purposefully seek to cash in on this exploit.  Beeline Interactive, Inc.'s (formerly: Capcom Interactive) Smurfs' Village, for example allows you to purchase 1,000 credits in-game for $59 USD.  Unwittingly allow your child to buy that a few dozen times, and your offspring has just committed you to pay thousands of dollars to Beeline for some new Smurf shacks.

Smurf's Village
Smurfs' Village by Beeline Interactive (formerly: Capcom Interactive)

For Apple, the problem began early on.  In Oct. 2007 late Apple CEO Steven P. Jobs softened to the idea of a "walled garden" in which third party app developers could freely offer their wares to customers.  Thus in mid-2008 the App Store was born.  In mid-2009 Apple rolled out a new feature -- in-app purchases.  A popular feature in the web gaming/PC shareware space, this offered developers an alternative monetization method.

In-app purchases were password protected, but in a fortuitous move, Apple opted to offer a 15 minute "grace" window in which users could make additional purchases after entering their password, without having to re-enter the password.  This "feature" was billed as a convenience, but it quickly became a major part of Apple's in-app purchase controversy.

iOS 3 in-app purchase
An in-app purchase in iOS 3 [Image Source: Engadget]

With iOS 3, only paid apps could offer in-app purchases.  But in 2010 iOS 4 opened the floodgates to in-app purchases of up to $99 USD in free apps.  Suddenly in-app purchases became a popular marketing tactic.  Similar to the PC shareware craze, developers would take a paid app, offer it for free, but make it essentially crippled/unplayable until the user purchased a number of in-app purchases.

As the app market began to boom in 2010, reports of these kinds of charges began to pop up, but Apple moved sluggishly to fix the "feature" which to users might be a problem, but to them offered a way to pad ther profits.  

One frustrating trend was the arbitrary allotment of refunds to those who fell victim to the exploit.  Both companies officially stated that if a parent could "prove" their child (who was not authorized to make in-app purchases) made the purchases, they might be eligible for a refund.  In some cases large charges were indeed refunded.  But Apple also argued that in-app purchases were "non-voidable" and in some cases refused to reimburse parents.  For parents stuck in this mess, the only expectation was unpredictability -- some were lucky; others not so much.

With iOS 4.3 Apple finally separated password entry for in-app purchases from password entry for App Store purchases.  The 15-minute grace period still stood, but at least now adults who had made an App Store purchase wouldn't leave their device vulnerable to their children's in-app purchase attempts.

II. Google Jumps Onboard the In-App Purchase Train

As iOS 4.3 tried to placate Apple's legion of fans with slightly tighter permissions, Google finally stepped into the in-app purchase game as well.  In Feb. 2011 Google announced Android 3.0 Honeycomb and with it an update an update to Android Marketplace (the predecessor of Google Play) allowing in-app billing/purchases.

Android Honeycomb

As Google stepped into this contentious business, Apple -- now in its second year of in-app purchases -- continued to face growing outrage.  Parents weren't satisfied with the changes made in iOS 4.3.  In March 2012 they sued Apple before the U.S. District Court for the Northern District of Calif.

Honeycomb's initial implementation was perhaps the most flagrant of all, offering users no way to turn off in-app purchases (short of manipulating and rebuilding the low-level OS).  Google remedied this somewhat with its 3.2.1 update -- which added the option in the Google Play settings to restrict in-app purchases with a PIN.  As of 2013, this was still the only effective way to explicitly prevent such actions.

Otherwise you were left at the mercy of the grace window, which much like iOS would only periodically require you to enter your password for purchases.  In Android this window was even longer - 30 minutes.

In Re Apple in-App Purchase Litigation, Case No. 5-11-CV-1758 EJD (N.D. Cal.; Mar. 31, 2012) by Venkat Balasubramani



The lawsuit did not deter yet more mobile device makers from jumping into the lucrative in-app purchases market.  Amazon.com, Inc. (AMZN) added the feature in April 2012, adding an "In-App Purchasing API" to Fire OS, its Android branch.
In-App purchases
Microsoft Corp. (MSFT) added the feature in Windows Phone 8.  Microsoft offered perhaps the most intuitive solution of sorts, offering a dedicated subenvironment -- "Kids Corner" -- for parents who gave their devices to their children.  This environment not only shut off in-app purchases by default, but also denied children access to your messages and email (another common parental headache).

Apple tried unsuccessfully to dismiss the lawsuit.  

Meanwhile incidents continued, partly because iOS -- the first player to this game -- had perhaps the most convoluted method of forcing password protection of all in-app purchases.  For users wishing to be prompted for a password every time a purchase was attempted you had to go into your Settings > General > Restrictions, set a password, then go into Settings > General > Restrictions> Allowed Content and turn the slider to in-app purchases to "off" [source].  Ironically, this didn't mean you were unable to make purchases --as it seemingly implied -- it merely meant you were prompted for a password every time in order to "reactivate" the feature temporarily.

III. Apple Didn't Wait Long After Settling to Point the Finger

Faced with the possibility of a protracted court battle and a potentially massive settlement, when punitive damages were factored in, Apple in January agreed to settle with consumers, pledging $32.5M USD for those affected.  As part of the settlement it agreed to refund 37,000+ claims by 28,000+ customers.  It also sent an email to 28 million App Store customers -- any customer who had paid for an in-app purchase in a child-aimed app.

What it did next was more controversial -- point the finger at its rival.

As amous black and white film actress Mary Pickford once said:

You may make mistakes, but you are not a failure until you start blaming someone else.

But apparently Apple's general counsel Bruce Sewell didn't take heed of that axiom.  After being grilled by the FTC and forced into the settlement Mr. Sewell sought to deflect the blame, writing a complaint letter to the FTC about its smartphone rival Google.
Apple's Sewell
Apple General Counsel Bruce Sewell

Now we've learned a bit more about his role in prodding the FTC to investigate Google following his own company's settlement over abusive sales tactics.  In a letter to FTC Chairwoman Edith Ramirez and Democratic Commissioner Julie Brill, Mr. Sewell "helpfully" pointed out that his firm's top rival also had allegedly harmed some customers with similar tactics.  Politico obtained the previously unreleased email via a Freedom of Information Act (FOIA) (5 U.S.C. § 552) filing.

In his letter he writes:

I thought this article might be of some interest, particularly if you have not already seen it.

Politico did not publish the rest of the letter or a link to the article in question.  However, many articles on abusive in-app charges from 2012 (when the problem was first widely noted) and 2013 did mention incidents with Google Play.

This isn't the first time Mr. Sewell's tactics have been the subject of controversy.  Some will recognize Mr. Sewell as the Apple attorney who orchestrated the campaign of legal threats and invasive searches of Gizmodo journalist Brian Lam's residence following an Apple employee losing an iPhone prototype.

IV. Amazon Faces FTC's Wrath, Fires Back

The tactic may actually work.

The FTC has already moved on from Apple to another mobile device maker -- Amazon.  Apparently earlier this year the FTC threatened to sue Amazon after probing it over unauthorized in-app purchases.

Amazon's General Counsel, Andrew C. Devore fired back on July 1 with a letter essentially telling the FTC to bring it on.  A copy of the letter [PDF] was obtained by The Verge.  In it he writes:

It's an understatement to say that this response is deeply disappointing.  The Commission's unwillingness to depart from the precedent it set with Apple, despite our very different facts, leaves us no choice but to defend our approach in court.

He also noted that the Amazon App Store contained "prominent notice of in-app purchasing, effective parental controls and real-time notice of every in-app purchase".  However, Amazon trails Apple and Google in that it does not offer an option to password protect against in-app purchases.  Rather, the only option available is the ability to disable in-app purchases altogether under Settings > Parental Controls in the Amazon App Store.
The FTC reportedly is demanding Amazon add password protection and offer all customers who were billed for unauthorized purchases refunds.  Amazon claims this would amount to keeping 20 years worth of records on its customers, a privacy risk.

We were unable to find any reports of Amazon being sued over in-app purchases by consumers.  However, it has been rumored to be the subject of FTC complaints (possibly from Apple, even).  Given the heated nature of the response, it appears likely that Amazon is destined to face off with the FTC in court.

V. Apple's iOS 7.1 Tightens Permissions

Meanwhile Apple is at least making good on its own pledge to change. While it still allows the grace period for password-less purchases, as part of the iOS 7.1 update released at the end of March it now puts a pop-up warning the user about the time window.  And it encourages the user to visit the settings where there's now more fine-grain controls to limit or turn off altogether the ability to purchase additional items without a password.

iOS 7.1 in-app purchase warning
[Image Source: Apple Insider]

Apple has also offered full refunds to any customer with an unauthorized in-app purchase bill of over $30 USD, under the settlement terms.

Apple's Bait App Settlement by jeff_roberts881



Those seeking refunds must contact the "Apple In-App Purchase Litigation Administrator".  The only part of the settlement that may turn somewhat rancorous is Apple's handling of refunds for customers who had unauthorized purchases under $30 USD.  Under the settlement terms Apple is not giving these customers a cash refund, but rather is giving them a $5 USD gift card.

Some may be insulted by this partial refund, but Apple argues it's not guilty anyways and only settled to avoid an expensive legal battle.

VI. Facing Class Action, Will Google Also Face FTC Lawsuit?

Google is not the subject of any current FTC probe or legal action with regards to in-app purchases.  One reason why is because its PIN protections are arguably more robust than Apple's were, prior to the recent iOS 7.1 update.

But it's also not out of the woods yet.  In March a pair of powerful law firms -- Berger & Montague, P.C. And Del Sole Cavanaugh Stroyd LLC -- filed a suit against Google seeking class action status regarding unauthorized in-app purchases.  The suit closely mirrors the one Apple faced and is filed in the same court.

Likely looking to strengthen its position and prevent further problems, a week later Google rolled out a new build of its Play Store -- v4.6.16.  The new version has somewhat finer grain controls.  In addition to the PIN, users can now pick whether to never enter their password when purchasing in-app content, only enter it the first time ever 30 minutes (the previous default), or enter it every time.  The latter option is new.

Here's the old settings:

Android in-app purchase (old)
The old store settings [Image Source: Android Police]

And here's the new one:

In-app purchase options (new)
The new settings has 3 options. [Image Source: Android Police]

Some may wish for finer grain controls (along the lines of Microsoft's Kids Corner) but Google seems confident that its new policy will hold up legally and balances convenience with security.

Source: Politico





"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs













botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki