An in-app purchase snafu: Apple sets sail on the failboat

It’s been a while since I’ve noticed Apple doing something really dumb. But this was almost shoved in my face, so it was difficult to just pass it by without writing a brief commentary on it.

Jacob Gorban recently wrote and published a short piece about Apple’s new in-app purchases feature that left users annoyed, and left him and his company looking like thieves. From his post:

We started to receive support requests from customers that purchased the “unlock” feature [in an app called Cashculator] but the application was still acting as “locked”. All they saw was a message that the transaction failed, with a very descriptive “Unknown Error” message, and nothing more. The really appalling aspect of this was that they were charged for the purchase ($20 to $30 in our case) but the transaction was marked as failed, the reason being “unknown error”.

Needless to say, such behavior doesn’t make the customers happy about using your app, not at all. Some of them originally thought that they failed to purchase. Imagine how surprised they were to receive a receipt from Apple a day or two later for their “purchase” which didn’t work.

Jacob goes on to state that just a few days ago, Apple finally fixed this bug. And the app upgrades that had been purchased, mysteriously finally started working. You’d think that’s the end of the story, right? Wrong.

Apple never really ackowledged that there was an issue with this, didn’t close my bug report, didn’t delete all the 1-star reviews that angry customers left and didn’t compensate the affected developers for their financial loss. Nothing.
[…]
I’m really not happy with the opaque way in which Apple handled this. […] Having this issue for more than a month and keeping it secret, while developers and customers suffer the consequences is plain wrong.

In other words, Apple quietly fixed this, and never even acknowledged there was a problem. This is not the way any decent company operates. This is one reason (of many) why I do not trust Apple and do not buy or use their products. (I once had to edit a blog post on my mom’s iPad for Quinn’s Big City. It took a lot of willpower not to start screaming profanity in the middle of a coffee shop.)

In my opinion, the right way to handle this, was to immediately investigate the incident, issue a press release stating the problem, and Do The Right Thing for the customers (both the developers and the end users). I am reminded of Microsoft’s absolutely abysmal attitude towards security, taking days or weeks to even acknowledge there was an issue, during the turn of the century, an attitude which (thankfully) Microsoft has learned cannot be sustained going forward. I can only hope Apple learns the same lesson with regard to communication with its customers and acknowledgement of known bugs, especially when they relate to payment handling.

Shame on you, Apple. This is not fixed; the damage done to the reputations of developers who trusted you to do the right thing still needs fixing. And that’s not as simple as tweaking a few lines of code and recompiling.

Misguided “Operation Wardrive” set to happen in Austin today

If this one seems a bit rushed, it is. I just now came across a mention of these two articles in an IRC channel I’m in, and noticed that this is was scheduled to start happening today. Spread the word if you are in Austin.

According to both EFF Austin and KVUE, the Austin Police Department is sweeping the city. Not for pot plants, speeders, reckless drivers, or even jaywalkers. They are sweeping the city for open wi-fi access points.

From the KVUE article (quoted in EFF Austin’s article):

Leaving your wireless network open invites a number of problems:

  • You may exceed the number of connections permitted by your Internet service provider.
  • Users piggy-backing on your internet connection might use up your bandwidth and slow your connection.
  • Users piggy-backing on your internet connection might engage in illegal activity that will be traced to you.
  • Malicious users may be able to monitor your Internet activity and steal passwords and other sensitive information.
  • Malicious users may be able to access files on your computer, install spyware and other malicious programs, or take control of your computer.

Before even getting into EFF Austin’s side of the story, I’d like to analyze these, which it would appear at first glance were ripped straight out of APD’s press release without any vetting whatsoever (I really hope KVUE is better than that, but this is the state of news in 2011). Most of these aren’t even correct or have errors in fact. In order:

  • “You may exceed the number of connections permitted by your Internet service provider.”: Most wi-fi routers assign a private IP address and don’t really differentiate between one, two, five, ten, twenty, or fifty devices on the network (some may run out of addresses at a certain point but this problem can be remedied). It is rare to have a wi-fi access point connected directly to the outside Internet so for the majority of users this doesn’t apply. If your Internet provider does hard-limit the number of devices you can run on your connection, it’s time to switch. (This may, eventually, become an issue again with IPv6, but even then with most users getting a block of 65,000 addresses, this is doubtful.)
  • “Users piggy-backing on your internet connection might use up your bandwidth and slow your connection.”: Most users using an open wi-fi access point will not download excessive amounts of data. The benefit here of invited guests and friendly neighbors being able to borrow your connection usually outweighs the risks.
  • “Users piggy-backing on your internet connection might engage in illegal activity that will be traced to you.”: This is the same argument used to dissuade people from running Tor exit nodes and I would expect most of the same legal advice given to Tor exit node operators would apply here. In summary, an IP address does not uniquely identify an individual Internet user. It is simply routing information.
  • “Malicious users may be able to monitor your Internet activity and steal passwords and other sensitive information.”: This is about the only one that may be true with any regularity, and even then this would only apply to connections in plaintext, not to encrypted connections.
  • “Malicious users may be able to access files on your computer, install spyware and other malicious programs, or take control of your computer.”: Only if your computer is misconfigured, and in the case of malware, only likely if you’re running Windows or possibly MacOS. This doesn’t happen very often in the wild, if at all.

From EFF Austin’s post on the topic:

The EFF Austin Board of Directors finds nothing wrong with this analysis of the potential risks Internet users undertake when intentionally or unintentionally leaving their wireless access points open for shared use. In fact, we could cite a few more. However, these are much the same risks that Internet users undertake when using ANY shared wireless access point, such as those provided by cafés, public parks, or the Austin Public Library.

Missing from the cited analysis is any recognition of potential benefits to be gained from publicly sharing one’s wireless access point. Lately, the virtues of contributing to any shared commons tends to be overshadowed by fears of bad actors (both real and imagined). For some facts, it’s worth reviewing cryptographer and computer security specialist Bruce Schneier‘s discussion on the virtues and risks of running an open wireless network.

I agree in principle with EFF Austin’s argument, and I think it is unfortunate that APD has chosen to go through with this with the misguided belief they are helping keep their citizens safe. (The rest of the article mentions EFF’s Texas Public Information Act request and their concern about exactly what is being collected and why.)

We have maybe a couple of hours before APD’s officers will start knocking on doors to contact computer network owners sharing their Internet intentionally or unintentionally. So I think it’s a good time to remind everyone, especially those in Austin, that it is a bad idea from both a privacy and a legal standpoint to let the police inside your residence or business unless they have a warrant or you called them and they need access to do their job. For more information review this FAQ section at flexyourrights.org.

I suggest either not talking to APD or saying as little as possible if they want to discuss the security settings of your wireless network. Frankly, I think there are better uses of taxpayer money, and I encourage Austin residents who agree to communicate this to their elected officials.

UPDATE: Per entersection’s comment below, this was actually canceled/disapproved by APD. I will be making a followup post about this in the near future (probably by tomorrow night at the latest).

Edit 2023-01-28: The previous link to flexyourrights.org was broken sometime in the last decade and change; it is now updated and working again.