App Store Cache Bug Trips up Father & Son

| News

Last week, an iPhone customer discovered that his son racked up $150 in unexpected in-app purchases using an app named Fishies by PlayMesh. But it wasn’t a PlayMesh scam, and it turns out that way the App Store caches passwords was the culprit.

On Friday, Mike Rohde described in his blog how, after he entered a password on his iPhone, he gave it to his son who subsequently played the game Fishies. His son, not knowing better, accumulated $149.99 in charges using in-app purchases. That was possible because the password was still in cache and hadn’t yet timed out. After his initial outrage turned out to be unfounded, Mr. Rohde subsequently apologized to PlayMesh.

Manton Reece, a developer, explained the problem and ran tests to confirm the (unintended) behavior. “What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn’t ask for a password, the app happily let him make all the purchases.

“I doubt the developer of this app did anything wrong.”

The bottom line is, if Apple doesn’t provide an iOS fix in the future that turns off password caching, it’ll be wise to be careful who you hand your iPhone or iPad to right after you’ve entered your password.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

5 Comments Leave Your Own

computerbandgeek

I always thought this was a feature, not a bug. Sounds like a bug in the parenting wink

John Martellaro

It’s a feature until it burns you badly.  Then it’s a bug.  wink

other side

hink this is just true in the same application. I mean, a password session lasts until the application is closed. If you are playing a game where you purchased something and typed your password, before handing the device to another person, you must quit the game.

Which will be interesting now that we have iOS 4 and apps that stay alive in the background.

Hmmm, now that we have multitasking, will there be a place in iOS 5 for multi-users?

JonGl

I think the cache carries over from App Store to in-app purchases, because this happened to me. I had updates some apps on my phone and then my little one started playing Shrek Carts and shortly started complaining that it wasn’t working. That was because she had clicked on the upgrade from free button. Oh well all my kids are now enjoying the full game. wink

mithridain

It’d be nice if the user could set the timeout length

Log-in to comment