Last week, an iPhone customer discovered that his son racked up $150 in unexpected in-app purchases using an app named Fishies by PlayMesh. But it wasn’t a PlayMesh scam, and it turns out that way the App Store caches passwords was the culprit.
On Friday, Mike Rohde described in his blog how, after he entered a password on his iPhone, he gave it to his son who subsequently played the game Fishies. His son, not knowing better, accumulated $149.99 in charges using in-app purchases. That was possible because the password was still in cache and hadn’t yet timed out. After his initial outrage turned out to be unfounded, Mr. Rohde subsequently apologized to PlayMesh.
Manton Reece, a developer, explained the problem and ran tests to confirm the (unintended) behavior. “What must have happened to Mike is that he bought something, entered his password, and then handed the iPad over to his son. His son played the fish game and clicked a bunch of random stuff (likely got the Buy prompt), but because the whole concept of virtual currency is kind of confusing, and because it didn’t ask for a password, the app happily let him make all the purchases.
“I doubt the developer of this app did anything wrong.”
The bottom line is, if Apple doesn’t provide an iOS fix in the future that turns off password caching, it’ll be wise to be careful who you hand your iPhone or iPad to right after you’ve entered your password.