In-app purchases lead to big bills for parents | iLounge News


In-app purchases lead to big bills for parents

A new report suggests that some parents are facing large iTunes bills after their children unknowingly make purchases within some apps. The San Francisco Chronicle has reprinted an AP story that focuses on purchases from within children’s games with questionable in-app purchase offerings, particularly “The Smurfs’ Village” game from Capcom. As one example, Kelly Rummelhart of Gridley, Calif has a four-year-old son who racked up nearly $67 in purchases while playing the game by purchasing “Smurfberries,” which are used to accelerate the completion of the game. “Really, my biggest concern was them scratching the screen. Never in my wildest dreams did I think they would be charging things on it,” she said. Notably, her son didn’t purchase the “wheelbarrow” of Smurfberries, which sells for $60 by itself. Other games cited in the story sell similar in-game items for as much as $100 each. Apple does offer parents the ability to restrict in-app purchases from within Settings, and has a 15-minute password window after which a user must re-enter his or her password in order to make another purchase, which it claims are sufficient blocks to unwanted purchases. It appears that not all parents are aware of the restrictions or the password window, however, and according to some, the password window doesn’t always work consistently.

Related Stories



That Smurfs game had a slew of comments in reviews on iTunes within a few days of its release that it had no confirmation nor password dialog for any IAP - you pressed the button and, voila, money deducted.

I’m not sure how the devs pulled it off, but it seems very suspect it could be accidental. That’s the kind of stuff the approval process should be checking.

Posted by Code Monkey on December 15, 2010 at 2:52 PM (CST)


Yes, I agree Apple should put in a “child proof” preference to stop all in app purchases. I have been worried about this every time my 3 & 5 year old children grab my phone.

Posted by Phillip Fuller on December 15, 2010 at 2:54 PM (CST)


An app should always have a safety, but let’s not fail to put the responsibility where it lies - with parents.
When my son’s pre-paid phone runs out of minutes, he’s hosed until the next time he earns the money.
With the iOS, you can setup (normally) to disallow a child from this problem. 
#2’s example hopefully was a mistake by the dev and/or Apple.

Posted by sb on December 15, 2010 at 3:15 PM (CST)


We have had the exact same thing happen to us but not with the smurfs game. One of our girls chalked up $55 in one game alone buying snow from santa!! now that is a lot of pocket money that she now does not have for christmas. I think APPLE really need to look at this,so we now have deleted our C/C details off of the itunes site so no purchases can be made and we’ll only look for free stuff.

Posted by craig on December 15, 2010 at 4:10 PM (CST)


Sorry no.4… Parents do have a responsiblity of course, but so do Apple and the developers
If I take my child to a shop, I do not expect the shopkeeper to let my child make purchases just because they have picked up my credit card. 

Equally I do not expect a game that has been developed for a child audience to allow in game purchases to be made without first requesting permission EVERY time.

We are not talking inconsequential micro payments either…

Posted by Boca on December 15, 2010 at 4:20 PM (CST)


@ Boca,
Please re-read my post.  Thank you.

Posted by sb on December 15, 2010 at 5:20 PM (CST)


Very simple parents

Settings > Parental Controls > In App Purchases off, is it really that hard?

@3 apple does have this feature.

Posted by Rob on December 15, 2010 at 5:52 PM (CST)


@Rob #8 on my iPhone with iOS 4.2.1 it’s actually
then you have to select the Enable Restrictions button at the top, then page down to Allowed Content: In App Purchases and turn it off.

Easy? Kind of.  Obvious? no.

Posted by Blackfish on December 15, 2010 at 7:41 PM (CST)


To me, the issue is the ability of devs to implement passwordless IAPs even when you don’t allow any purchases without passwords on your account, as was evidently the case with the Smurfs game. That is as huge a security breach as I’ve seen on iOS, because if it can be done quasi-legitimately for smurf berries, it can be done clearly underhandedly as well. When you’re used to seeing a few bucks a week charged to your iTunes account, how much effort would it be for a sleazy dev to charge you $0.99 every time you pressed “OK” to level up under the guise you were paying for “character enhancement”? People who don’t check their bazillion iTunes emails very carefully might never notice such skimming of their iTunes account.

Not storing my password for purchases works out just fine for stopping my 3 y.o. from buying apps or music accidentally on my wife’s iPad, we shouldn’t have to turn off IAPs on a shared device because a dev is abusing something Apple should have never allowed in the first place.

Posted by Code Monkey on December 16, 2010 at 10:31 AM (CST)


I don’t believe that IAPs are being allowed entirely without a password. The IAP system is called through a common API and presents the normal iTunes Store authorization dialog boxes and confirmations. Third-party developers don’t have any way of working around this or providing their own UI for it—they just call the API and iOS takes care of the purchasing process.

I suspect what happened here is that the child, perhaps unknowingly, was taking advantage of the 15-minute grace period since the last purchase.  The parent probably entered their password for the child to buy something, or perhaps to buy something for themselves on the device, and the child was then able to make more purchases from there without any further confirmation being required.

Note that the time period isn’t from the last time the password was actually entered, but simply from the last time a purchase was made with that account.  You could string it along by buying something every 14 minutes and probably keep on going indefinitely. It’s also worth noting that because a common “store” API is used for all interactions with the iTunes Store, the grace period doesn’t only apply to in-app purchases—it’s from the last time the iTunes Store account was used to download anything—be it an actual app or in-app purchase (regardless of which app), a song, or even a book within iBooks. 

The hidden convenience of this 15-minute window obviously comes with a price like this, and it would probably have been wiser for Apple to provide a “Remember my Password” type checkbox of confirmation window so that users are at least aware of it.

Posted by Jesse Hollington on December 16, 2010 at 2:35 PM (CST)


@10: I know that’s possible, but the number of complaints that sprang up within a day of the Smurf Village app release, and which continue to this day, when I’ve read reviews for many other apps with IAPs and never seen this sort of complaint, leads me to at least entertain the possibility that these people complaining weren’t just getting nailed by the grace period. In particular is the part about no confirmation dialog. Password grace period or not, letting your kid hit the “get smurf berries” button and actually getting smurf berries without any sort of confirmation at all is clearly intentionally deceitful program design. “Oh, did you hit that button accidentally while going to hit another button, we’re sorry, but that will be $99.99 on your credit card”.

Posted by Code Monkey on December 16, 2010 at 3:48 PM (CST)


If there truly was no confirmation at all, then obviously there’s a bug somewhere in iOS that a developer may be exploiting.  It should not be possible for an IAP to occur without any confirmation dialog.  The grace period merely applies to the password prompt—the user should still be presented with both the standard “Buy” confirmation dialog box and the “Your Purchase Was Successful” response—only the password is skipped if it’s been entered recently.

The problem is the standard APIs present these dialog boxes whether the developer wants them or not, and in many cases you actually get two responses following a purchase—the standard iOS one from the Store API and whatever the developer chooses to show you once their app receives the confirmation back that the purchase was successful.

If this really is some loophole being exploited by the developer, then Apple is fully responsible, especially since they ostensibly review every app submitted for such problems as these, and the Developer Guidelines for implementing IAP are extremely clear and well-documented.

It’s also worth noting, however, that users who run beta iOS versions or jailbreak their devices do so at their own risk of things like this happening, as it’s possible for jailbreak processes to modify this behaviour and beta iOS versions can make changes to how some of the integration processes work to allow developers to test their apps more easily.

Posted by Jesse Hollington on December 16, 2010 at 4:27 PM (CST)


Like all those who mentioned about Apple’s iOS parent restriction controls in the settings, preventing kid purchases were thought of.

However, some APPs used this functionality without warning. Like most of us, including me, reading the manuals is not a starter must-do. So seeing those purchases would just surprise especially if we allow our kids to use our devices on their own.

Posted by ChildProof on December 16, 2010 at 7:35 PM (CST)

Subscribe to iLounge Weekly

Sign up for the iLounge Weekly Newsletter

iLounge is an independent resource for all things iPod, iPhone, iPad, and beyond.
iPod, iPhone, iPad, iTunes, Apple TV, Mac, and the Apple logo are trademarks of Apple Inc.
iLounge is © 2001 - 2018 iLounge, Inc. All Rights Reserved. Terms of Use | Privacy Policy