iTunes password caching

“Mike Rohde racked up $190 in iTunes in-app purchases”:http://www.rohdesign.com/weblog/archives/003193.html without knowing it, blaming an app called “Fishies”:http://itunes.apple.com/us/app/fishies-by-playmesh/id360868737?mt=8 by PlayMesh for tricking his son into purchasing virtual items without a password prompt. He was obviously pretty upset — I would be too! — but calling it a “scam” probably goes too far. So what really happened?

It is fairly well known that after the App Store prompts for your iTunes password, you can download more apps for a certain length of time (at least a few minutes) before it requires a password again. What seemed less clear is that this applies to in-app purchases as well.

To be sure, I ran a test to confirm the behavior:

  • Download a new free app from the App Store (I downloaded the current number 1 iPhone app, Farm Story Summer).

  • Enter your password to confirm the download.

  • As soon as it finishes, go to another completely different app (in my case it was Iconfactory’s Ramp Champ, which I had downloaded months ago).

  • Purchase an in-app virtual item.

  • It prompts for whether you want to buy the item (the standard Apple prompt), but without requiring a password.

What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn’t ask for a password, the app happily let him make all the purchases.

I doubt the developer of this app did anything wrong. A reasonable argument could be made that iTunes should either not cache passwords at all, or keep a separate cache for app downloads vs. in-app purchases, or maybe always prompt for a password on in-app purchases. My kids and other kids I know have also used this backdoor trick to sneak a couple app downloads, but usually it’s a few bucks, not $190. Consumable virtual items (that you can keep buying over and over) make this problem much worse.

On “episode 60 of This Week In Startups”:http://thisweekin.com/thisweekin-startups/this-week-in-startups-60-with-neil-young/, Jason Calacanis interviewed ngmoco founder Neil Young about the mobile game business, focusing on the hit iPhone/iPad game “We Rule”:http://werule.ngmoco.com/. I was stunned to learn from the show that some individuals spend not only hundreds of dollars but up to $10,000 on in-app purchases in We Rule. Neil Young was happy to take their money, but something feels wrong here, like a gambling addiction gotten way out of hand. Or maybe just kids running up their dad’s credit card bill.