Apple slapped with settlement over shabby sales security in the App Store

Filed Under: Apple, Featured, iOS, Security threats

Apple is understandably proud of its App Store.

Firstly, it's been a runaway commercial success, making bucket-loads of money for Apple.

Small buckets, by Apple's standards, to be sure, but bucket-loads nevertheless.

Secondly, for all that Apple extracts an impressive 30% from paid apps just for brokering their sale and download, the App Store has been a fruitful (sorry!) source of largesse to the developer community.

App developers, in fact, took home a collective 70% of the $10,000,000,000 that the App Store turned over in 2013.

Thirdly, Apple's unilateral control of what gets into the App Store has kept it as good as free from iOS malware.

→ Apple's unyielding regulation of the App Store has not been universally popular. But as a side-effect it has left the mobile malware problem almost exclusively to Android. Google's more liberal approach to alternative software markets has gone hand-in-hand with widepsread malware, and therefore, Apple might argue, has made Android a much riskier platform for work or play.

But not everyone has been entirely happy with Cupertino's acumen in application delivery.

According to the US Federal Trade Commission, Apple was a bit too keen - sneaky is the word the FTC didn't use, but probably could have done - in the way it allowed applications and their accoutrements to be sold to children.

Apple facilitates not only the sale of iOS apps, but also the processing of in-app purchases.

A game creator might decide to give his game away for free, for example, to encourage new players to try it out.

That helps him build a community; he makes his money later by charging during gameplay for stuff that helps make keen players keener still.

Power-up pills, for example, swashbuckling swords, invisibility cloaks, even battle ostriches.

With all of these things costing real money, it's easy to see why customers wouldn't want Apple to make it easy for their children to acquire artificial objects in imaginary worlds, merely by clicking a button labelled [Buy].

The FTC's complaint againt Apple is that the company did, indeed, go some way down that road.

Here's a neat and very useful mini-infographic prepared by the FTC that explains the two main things it didn't like about Apple's in-app purchasing system :

Firstly, the process didn't make it clear to parents, at the final password entry screen, what they were actually buying, or even that they were proceeding with an in-app purchase at all.

Did you merely authorise a configuration change? Or did you just purchase a new gameplay level for 99c? A Big Bag of Bravado for $9.99? Perhaps even a Heroic Hobbit Helmet, one careful owner, for a lofty $99.99?

That lack of clarity didn't go down well with the FTC.

Secondly, the Commission argued, the authorisation dialog didn't make it clear that you might be activating an "open slather" purchasing window that would stay open for 15 minutes, allowing your children ample time to rack up purchases without asking.

Of course, you can argue that parents ought to have familiarised themselves with on-line purchasing in iOS before letting their kids loose in the App Store, especially when one complainant didn't seem to notice until her daughter had blown $2600 in the Tap Pet Hotel.

And you can argue that parents ought to be stricter with themselves about typing in their passwords at a dialog box for which they have no context.

But you can also argue that Apple ought to favour clarity throughout the purchasing process, not least because the company was happy to accept 30% of that $2600 blowout at the aforementioned Tap Pet Hotel.

And that is exactly the argument that the FTC has made.

Apple has settled - remember, that means that officially this isn't a fine, or a conviction, or a negative judgement, merely an agreement to make the complaint go away - and will pay back at least $32,500,000.

If consumers don't come at Apple for the full amount, the difference will be paid over to the FTC.

Reducing the risk

If you're the sort of parents who let your children use your personal iPad or iPhone for games, you can manage the financial risk in two ways, as recommended by the FTC.

You can turn in-app purchases off altogether, so that you'll never face one of those out-of-context "it's asking for your password, Mummy/Daddy" requests.

Go to Settings | General | Restrictions, and toggle the In-App Purchases setting in the ALLOW section:

Or go to the ALLOWED CONTENT section and set the Require Password option to Immediately, so that entering the password once doesn't open up a 15-minute pre-approved purchasing window:

If you choose the Immediately option, you'll need to approve each purchase one-by-one, thus avoiding an unexpected bill from the pet hotel.

Let's hope that this settlement reminds us all of the risks of sharing mobile devices, whether between individuals (such as parents and children) or between functions (such as work and home).

, , , ,

You might like

7 Responses to Apple slapped with settlement over shabby sales security in the App Store

  1. dippy · 193 days ago

    Or people with kids could do the sensible thing and only use giftcards on an appstore account , having a nice hard limit on the ability to spend is already there.

  2. Author, do you think the kids' parents played any role in this? The kids did have parents, didn't they. Or were the kids' computer turned into babysitters?

    • Paul Ducklin · 193 days ago

      Sure, but you can still argue (as the FTC did) that Apple could and should have made the workflow for buying this stuff a bit clearer, considering that it would be obvious that it was almost certainly a young child that clicked [Buy].

      Apple vets its Apps strictly, remember, so it must know which apps are going to be pushing in-app purchases at users who are too young to authorise those purchases themselves...

      You could probably even make a case that some sorts of purchase (those likely to be initiated by someone who's under-age) ought to act as a trigger to turn off that "15 minute window" automatically.

  3. Rhon · 192 days ago

    It isn't just children. I have had several charges, just in the past month, for a game I play, but know for a fact that I did not purchase these extra "gems". In fact I have had the Apple Store refund my money, which they did. I didn't even receive the EXTRA "gems" that Apple charged me. As an adult I was not aware of in-app charges, until I started seeing these on my bank account, and I did receive emails from Apple for each purchase that I DID NOT PURCHASE. The customer service representative was kind enough to show me how to turn off in-app purchases, which I did. Then yesterday I noticed another charge. All of these charges are for ONE game only. And to top that, I didn't receive any extra "gems" for these so-called in-app purchases. So today I will be making another call to Apple to refund this charge. As I explained to the CSR, even if I, somehow hit "buy", why didn't I receive the extra "gems", had I received them I wouldn't have failed that level over and over again.

    • Paul Ducklin · 192 days ago

      That sounds like a different problem, though with a similar symptom. Does someone else know your username and password?

  4. 4caster · 191 days ago

    I don't like the App Store. It's a platform for advertising rubbish that I don't want to buy or even see, but I have to use it to find upgrades that I need.
    Also the upgrade information doesn't give download sizes or times. These are important because I am limited by a 0.5 Mbps broadband speed. I once started to download one that then told me it was going to take 36 hours, and I mustn't interrupt the download. Actually I suffered a power cut, but fortunately it did not destroy the existing software.
    And another gripe: I have two Macs, and prefer to download standalone upgrades so as not to have to download them twice. These are not always available, for example Safari 6.1.1, which became available recently. Search for it on Apple Support and it's not there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog