Apple slapped with settlement over shabby sales security in the App Store

Apple is understandably proud of its App Store.

Firstly, it’s been a runaway commercial success, making bucket-loads of money for Apple.

Small buckets, by Apple’s standards, to be sure, but bucket-loads nevertheless.

Secondly, for all that Apple extracts an impressive 30% from paid apps just for brokering their sale and download, the App Store has been a fruitful (sorry!) source of largesse to the developer community.

App developers, in fact, took home a collective 70% of the $10,000,000,000 that the App Store turned over in 2013.

Thirdly, Apple’s unilateral control of what gets into the App Store has kept it as good as free from iOS malware.

→ Apple’s unyielding regulation of the App Store has not been universally popular. But as a side-effect it has left the mobile malware problem almost exclusively to Android. Google’s more liberal approach to alternative software markets has gone hand-in-hand with widepsread malware, and therefore, Apple might argue, has made Android a much riskier platform for work or play.

But not everyone has been entirely happy with Cupertino’s acumen in application delivery.

According to the US Federal Trade Commission, Apple was a bit too keen – sneaky is the word the FTC didn’t use, but probably could have done – in the way it allowed applications and their accoutrements to be sold to children.

Apple facilitates not only the sale of iOS apps, but also the processing of in-app purchases.

A game creator might decide to give his game away for free, for example, to encourage new players to try it out.

That helps him build a community; he makes his money later by charging during gameplay for stuff that helps make keen players keener still.

Power-up pills, for example, swashbuckling swords, invisibility cloaks, even battle ostriches.

With all of these things costing real money, it’s easy to see why customers wouldn’t want Apple to make it easy for their children to acquire artificial objects in imaginary worlds, merely by clicking a button labelled [Buy].

The FTC’s complaint againt Apple is that the company did, indeed, go some way down that road.

Here’s a neat and very useful mini-infographic prepared by the FTC that explains the two main things it didn’t like about Apple’s in-app purchasing system :

Firstly, the process didn’t make it clear to parents, at the final password entry screen, what they were actually buying, or even that they were proceeding with an in-app purchase at all.

Did you merely authorise a configuration change? Or did you just purchase a new gameplay level for 99c? A Big Bag of Bravado for $9.99? Perhaps even a Heroic Hobbit Helmet, one careful owner, for a lofty $99.99?

That lack of clarity didn’t go down well with the FTC.

Secondly, the Commission argued, the authorisation dialog didn’t make it clear that you might be activating an “open slather” purchasing window that would stay open for 15 minutes, allowing your children ample time to rack up purchases without asking.

Of course, you can argue that parents ought to have familiarised themselves with on-line purchasing in iOS before letting their kids loose in the App Store, especially when one complainant didn’t seem to notice until her daughter had blown $2600 in the Tap Pet Hotel.

And you can argue that parents ought to be stricter with themselves about typing in their passwords at a dialog box for which they have no context.

But you can also argue that Apple ought to favour clarity throughout the purchasing process, not least because the company was happy to accept 30% of that $2600 blowout at the aforementioned Tap Pet Hotel.

And that is exactly the argument that the FTC has made.

Apple has settled – remember, that means that officially this isn’t a fine, or a conviction, or a negative judgement, merely an agreement to make the complaint go away – and will pay back at least $32,500,000.

If consumers don’t come at Apple for the full amount, the difference will be paid over to the FTC.

Reducing the risk

If you’re the sort of parents who let your children use your personal iPad or iPhone for games, you can manage the financial risk in two ways, as recommended by the FTC.

You can turn in-app purchases off altogether, so that you’ll never face one of those out-of-context “it’s asking for your password, Mummy/Daddy” requests.

Go to Settings | General | Restrictions, and toggle the In-App Purchases setting in the ALLOW section:

Or go to the ALLOWED CONTENT section and set the Require Password option to Immediately, so that entering the password once doesn’t open up a 15-minute pre-approved purchasing window:

If you choose the Immediately option, you’ll need to approve each purchase one-by-one, thus avoiding an unexpected bill from the pet hotel.

Let’s hope that this settlement reminds us all of the risks of sharing mobile devices, whether between individuals (such as parents and children) or between functions (such as work and home).