By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: October 24, 2018

Wednesday, 24 October 2018

In-App Purchasing Scams in the App Store ★

Apple’s App Store isn’t free from scams, either. John Koetsier, writing for Forbes:

I tried it myself, and the flow is very clear:

1. Download the app
2. Open it
3. Click the big “Start” button (this has small, hard-to-read pricing information, but even though I was testing the app and forewarned, I missed it)
4. Instantly be taken to an Apple payments confirmation screen: free for three days, and then $3.99/week in perpetuity.

The flow is smart and sneaky. It’s carefully designed to have you “agree” to the charges without having any intention of paying

“Users open the app and quickly tap a ‘Start’ button or ‘Continue’ button on the first page,” she told me via email. “Unfortunately this loads the Apple payment prompt instead of starting the free app as most users would expect. Users then panic and press the home screen to exit the app — unfortunately on fingerprint devices this makes payment or signs up for the free trial.”

Needless to say, $4/week for a very, very, very simple barcode-scanning device is completely ridiculous. $156/year borders on criminal.

Apple has since pulled most of these apps from the App Store, but how did they get there in the first place? I can see how a new app with a malicious IAP scam might slip through review, but once an app is generating tens of thousands of dollars a month, it ought to get a thorough review from the App Store.

The scam outlined above is admittedly pretty clever. I’d never really thought about it before, but the fact that the home button on Touch ID devices serves both as the “Yes I really do want to authorize this payment” verification and the “Get me out of this app and back to the home screen” escape hatch makes it ripe for abuse like this. Face ID doesn’t make X-class iPhones immune from scams, but the requirement that you double-click the side button to verify a payment means you can’t be tricked into doing it inadvertently.

BuzzFeed News: ‘Apps Installed on Millions of Android Phones Tracked User Behavior to Execute a Multimillion-Dollar Ad Fraud Scheme’ ★

Craig Silverman, reporting for BuzzFeed News:

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems. […]

In total, the apps identified by BuzzFeed News have been installed on Android phones more than 115 million times, according to data from analytics service AppBrain. Most are games, but others include a flashlight app, a selfie app, and a healthy eating app. One app connected to the scheme, EverythingMe, has been installed more than 20 million times.

These criminals raked in tens of millions of dollars, maybe hundreds of millions, including millions from Google’s own ad network.

The bottom line: if the metric used for charging for advertising can be faked, it will be faked. Ad tracking is both an invasion of privacy and an open invitation to fraud.

Google Pixel 3 and ‘Fast’ Inductive Charging ★

Ron Amadeo, writing at Ars Technica:

For some unexplained reason, Google is locking out third-party Qi chargers from reaching the highest charging speeds on the Pixel 3. Third-party chargers are capped to a pokey 5W charging speed. If you want 10 watts of wireless charging, Google hopes you will invest in its outrageously priced Pixel Stand, which is $79. […]

Regular 10W wireless chargers can be had for around $15-$25, so Google’s $79 Pixel Stand comes at a hefty markup. Qi is a standard, and a phone should strive to work with every charger. The Qi standard goes up to 15W, so there doesn’t seem to be any reason for Google’s 5W limit.

Amadeo’s take captures the consensus reaction to this news — that it’s a money grab on Google’s part, trying to get Pixel 3 owners to buy Google’s own proprietary charging stand. Maybe that’s true. But it may not be true. This idea that Google should have supported the Qi standard for higher charging speeds is based on the assumption that the Qi standard is technically good. I don’t think that’s a safe assumption at all.

A money grab for $79 charging stands doesn’t sound like Google at all to me. I think it’s more likely that Google went with a proprietary technology for higher charging speeds because their proprietary technology works better than whatever the Qi standard specifies for 10W charging. Keep in mind too that they’ve surely been working on the Pixel 3 hardware for years.

I could be wrong. But it seems far more likely to me, and more in character for Google, that they’re not sticking with the Qi standard simply because the standard isn’t good enough — or wasn’t good enough two years ago when they were making engineering decisions for the Pixel 3. Here’s the thing about industry standards like Qi: they usually suck.

Qi not being good enough is exactly why Apple’s mythical AirPower charging pad was touted as supporting a basic level of the Qi standard, but adding a lot of proprietary features on top.

‘What the Hell Happened to Darius Miles?’ ★

Darius Miles on going straight from high school to the L.A. Clippers in 2000. Remarkably compelling read, capturing both the joy and the tragedy of his life. Trust me, even if you’re not into sports, you want to read this.