Beware of Android Market - especially with your kids

[billythewiz]

For christmas I bought my wife and kids a Xoom. A few days later we received an email. My 5 year old managed to spend £15.97 on a "barrel of smufberries", an in-app purchase in "Smurfs' Village".

At no point did we ever enter our credit card details into the device !

It turns out that Android Market automatically links to your Google Checkout account (which my wife set-up in October to give some money to a charity).
It also turns out that the default setting for Android Market is to NOT require a password or PIN ( I'm used to IOS so I was stunned by this). In fact it's a feature that was only added in September 2011 !

But the best bit is that the Xoom, running Android 3.2, ships with v.1.0.27. A version so old that it neither supports a PIN or the ability to upgrade itself to a version that does.

I was able to manually upgrade with these instructions https://groups.google.com/a/googlepr...0/GIetU4vpHncJ

Firstly you have to enable non-market installation.

Settings->Applications->Unknown Sources: make sure the check box is checked.

Then downlaod an APK file of the Android Market... I used http://dl.apktops.com/app/201112/And...rket_3.4.4.apk
from
http://www.apktops.com/android-market-3-4-4.html

Once it has downloaded just install it. For me I used the default Xoom FE browser... downloaded.. then Menu->downloads and double tap the filename once it was marked as complete.

I then added a PIN http://support.google.com/androidmar...answer=1626831

And finally (just to be sure), I removed my card details from Google Checkout.

I'm led to believe that App purchases are cancelled if you delete the app within 24 hours of purchase,
http://eyes-free.googlecode.com/svn/...ss/market.html
but for in-game purchases there is no trial period and no refunds !

[jim]

I'm led to believe that App purchases are cancelled if you delete the app within 24 hours of purchase,
http://eyes-free.googlecode.com/svn/...ss/market.html
but for in-game purchases there is no trial period and no refunds !

It used to be, but they dropped it to 15 minutes.

[Pancake]

Why are you complaining? you agreed to the Android Market T&C when you first opened it.

[Smudger]

You need to tell the kids you'll send them to debtor's prison if they do it again...

[abaxas]

Make sure your google doodar has a credit card on there.

If it happens again, insta refund.

Job done.

[billythewiz]

Sorry abaxas, I don't follow what you mean.

"google doodah" - you mean the xoom tablet ?

"has a credit card on there" - my card details have never been entered into the tablet, they were in Google Checkout, but not any more.

"insta refund" - what is that ? I'm probably going to have to dispute the payment to get my money back.

[billythewiz]

Pancake, most of my post was to provide details to others, on how to resolve the problem if it happens to them.

Most T&Cs aren't worth the mouse click you put into them. At the end of the day I don't have the resources to take on Google, so it doesn't matter what their T&Cs actually say, only what Google claim they say. But ... If I can get Halifax or Mastercard or the Financial Services Authority (as mentioned in Google's email to me) on my side, then they can take on Google.

[Singh400]

Sorry, but you don't have a leg to stand on here. You are at fault.

[Hoonigan]

Sorry, but you don't have a leg to stand on here. You are at fault.

That may well be the case, but there's definitely a problem with the way Google's Android OS operates.

If it doesn't ask for a password, does that mean people essentially have access to your credit card details, password free, if your phone is stolen?

[MSIC]

Sorry, but you don't have a leg to stand on here. You are at fault.

You've completely missed the point, re-read the post again.

Thanks billythewiz, good to know.

[this_is_gav]

If it doesn't ask for a password, does that mean people essentially have access to your credit card details, password free, if your phone is stolen?

No, it means that someone could make purchases from the Google app store unless you didn't notify your bank/credit card firm. Your details aren't open for people to see (though perhaps the last 4 numbers are, like on some sites).

That said, and I'm not a preacher by any means, I'm not sure I'd be letting a 5 year old play on such an open device unsupervised.

[abaxas]

Sorry abaxas, I don't follow what you mean.

"google doodah" - you mean the xoom tablet ?

"has a credit card on there" - my card details have never been entered into the tablet, they were in Google Checkout, but not any more.

"insta refund" - what is that ? I'm probably going to have to dispute the payment to get my money back.

Basically a credit card is a device of debt. Hence if you child uses it to buy something, the transaction is not legal hence can be instantly reversed.

You cannot be held responsible for a debt what someone else put on your card.

IE. always use a credit card (NOT DEBIT) for all online purchases.

[mikerr]

Basically a credit card is a device of debt. Hence if your child uses it to buy something, the transaction is not legal hence can be instantly reversed.

You cannot be held responsible for a debt what someone else put on your card.

Not if "someone else" is someone you have given details to (like spouse, kids) !

I take it you're happy for the CC company to prosecute your wife or child for fraud ?



but on to the main topic:

the default setting for Android Market is to NOT require a password or PIN

Caching the password is a bad default, agreed,
but I'm sure most are aware that google checkout is the default payment method for apps.

[abaxas]

Not if "someone else" is someone you have given details to (like spouse, kids) !

I take it you're happy for the CC company to prosecute your wife or child for fraud ?



but on to the main topic:

Caching the password is a bad default, agreed,
but I'm sure most are aware that google checkout is the default payment method for apps.

Child is fine as they cant be prosecuted for it.

[mikerr]

On the "cancel debt if my child used my credit card" line:
http://www.guardian.co.uk/money/2010...-debt-facebook

[Pancake]

That may well be the case, but there's definitely a problem with the way Google's Android OS operates.

If it doesn't ask for a password, does that mean people essentially have access to your credit card details, password free, if your phone is stolen?

Oohhhh, they can buy apps on your google account! what gain would they even get from that? you would own the apps.

If your phone gets stolen, and your stupid enough to not have a pin/password/pattern on the phone just change your gmail account password, or call your bank? perhaps Android is a little to complicated for some users