For those who have not read my earlier post about how my five-year-old son managed to spend almost $275 (more than the stupid iPod Touch cost in the first place) on iTunes whilst your author was quietly enjoying a few craft brews with friends, I will summarize.
My son was playing a few games on my iPod Touch. Unbeknown to me, one of the games allowed for real-money in-app purchases – expensive ones. In the time it took me to drain my first liter of beer, junior had done most of the damage. The iPod was logged out of iTunes and he was never asked for a password. Furthermore, my password is a long alpha-numeric string that he would not be able to remember.
I have been told, by one commenter that this is impossible and that iTunes will always ask for my password and that it is “on me” if my son knew it – well guess what? iTunes didn’t ask for my password and my five-year-old son cannot reproduce a ten-character alpha-numeric string, this FUBAR is on Apple and they admitted as much when they admitted nothing but offered to refund all 12 purchases that he somehow managed to make without a password on that fateful night.
So how did it happen? I have a theory as to why it didn’t ask for the password. Basically, it comes down to this: I was using an iPod Touch, not an iPhone. With its 3G connection, an iPhone would be able to access iTunes at the time of the purchase. My iPod Touch had no Wi-Fi connection at the time. The items were purchased within the game, and iTunes was notified that they had been purchased as soon as the iPod Touch connected to Wi-Fi. Pretty sneaky, huh? But how else would it work? There was no Wi-Fi connection when my son purchased the items. I had failed only in so far as I did not turn off in-app purchasing – an option that I did not know that my iPod Touch had.
My final thought on this mess: Apple has dropped the ball on this one. If my theory is correct then in-game items are accessed at the client-side, with purchases processed after the fact, as soon the device connects to a Wi-Fi signal. The transactions are automatic and appear to not need any verification. It also highlights a somewhat sad fact: that the data that is bought in an in-app purchase is already on the device to begin with – when you buy an item in a game, you are essentially paying to access data that is taking up space in your device’s memory. It seems rather exploitative to charge a person for something that they already have in their possession – but no more exploitative than it is stupid to pay for something that you already – in a sense – own.