Android In-App Payments Abuse Nightmares: Why Google Is Complicit

Should an Android app aimed at children include a $133 in-app purchase for worthless virtual merchandise? If you’re the kind of crook who runs fake real estate “universities” and stiffs your workers via multiple bankruptcies, you’d probably see nothing wrong with this. But most ethical people might wonder why Google would permit such an abomination. Is the fact that they take a substantial cut of each such transaction clouding their usually excellent ethical sensibilities in this case? Or is Google somehow just unaware, underestimating, or de-emphasizing the scope of these problems?

Complaints regarding in-app Android purchases arrive at my inbox with notable regularity. But one that arrived recently really grabbed my attention. Rather than attempt to summarize it, I’m including extended portions of it below (anonymized and with the permission of the authors).

Beyond the details of how parental locks and Google Play Store payment systems are designed and the ways in which they could be greatly improved, a much more fundamental problem is at the core of these issues. 

I have long considered in-app purchase models to be open for enormous abuse. Where they are used to “unlock” actual capabilities in non-gaming applications, they can play a useful role. But their use for the purchase of worthless “virtual” goods or points in games, especially when total purchases over the lifetimes of the games can add up to more than a few dollars, are difficult to justify. They are impossible to justify in games that are targeted at children. 

Though apparently entirely legal, it is unconscionable that Google permits these sorts of apps to exploit children and their parents, and then refuses to offer full refunds to parents who have been victimized as a result, particularly when those parents have attempted to diligently use the payment control mechanisms that are currently available.

Not Googley at all. Shame on you, Google.


 – – – – – –

[Permission for posting of these materials in anonymized form has been received from all associated parties. – Lauren]

Hi Lauren,

Thanks so much for considering this. [ ] is:  [ ]  – she’s fine with you sharing that with Google.

If it can happen to someone of her education what hope do the rest of us have… let alone a 4-year old who can’t read. She says also it’s fine to share her story, fully anonymised … It’s pretty horrible and I suspect also pretty widespread too….

On 05/23 09:16, [ ] wrote:

hi Lauren,

I’m sure you’ve heard lots of these kinda stories, so your indulgence is requested. Friend of mine – who holds a doctorate in business, no less – got a bill for around GBP 650 [currently about $870 – Lauren] after her 4-year old daughter was able to buy in-game despite parental locks. Or, that’s what my friend thought: Google said that updating the unit could wipe out those locks. And no refund is thus forthcoming. She has contacted the app developers too but obviously they’re happy enough with her money so nothing doing there. [Response from developer refuses to issue any refund – Lauren]

Two things:

(1) Why does an update clear locks? This is surely bad practice?

(2) How the hell can anyone justify a GBP 100 in-app purchase in a game directed at toddlers? This one can’t read yet and as we know, kids are experts on using touchscreen tech before any language skills develop.

P.S. any advice welcome – thanks loads

– – –

My 4 year old loves watching [ ]. On [ ] (Freeview) one of her favourite cartoons is [ ]. She loves this so much that she asked if she could download [ ] on my mobile phone to play. I obliged and made the usual checks; no ads, and parental locks engaged. She then asked to download another similar game; [ ]. She absolutely loves this game, and for a 4 year old, she’s got pretty good at it… certainly better than me and her big sis.

Again, I made sure parental lock and no ads were ticked within the app…. Last Friday I received a telephone call from the Fraud dept. at [ ] Credit Card, they suspected fraudulent activity on my card – in fact one transaction of GBP 99.99 and another of GBP 1.99 had gone on my card that morning.. and I hadn’t even left my house. I was obviously shocked and concerned – they said the payee was Google Play.

They asked if I had an android phone and whether I let me kids play on the phone. I said yes, but all games are ‘locked down’ so to speak. She asked me to go into my phone to check… to my sheer horror, I saw a long list of  ‘in-app’ purchases made by my 4 year old within the space (mostly) of three weeks. Now I usually check my credit card spends at the end of every month, and I hadn’t got around to checking for this month. I quickly toted up the separate transactions and figured that she had burned GBP 498.88  buying ‘[ ].. GBP 99.99 and ‘[ ] 1.99/ 29.99’ within the [ ] game.

I was totally in shock and rightly upset. Of course this wasn’t her fault  – she can’t read.. but how can an app associated with a children’s cartoon think its OK to embed in app purchases within their game … Google have informed me that updating my android can wipe out all the parental locks etc, and I have to check/ re-engage all locks etc after EVERY software upgrade. I contacted Google, and they have disappointingly refunded only GBP 70.00 – stating that its outside their T&Cs and that I need to request a refund from [ ]; the App developers.

I’ve emailed [ ], they haven’t bothered to respond (I’ve waited 72 hours and counting now) [Eventual response refused to refund – Lauren]. I’ve also contacted [ ] Credit Card, and they’ve said that they won’t help me… Surely this is ‘Soft Fraud’ and this is unethical and wrong… so parents please beware. This has and still is really upsetting for both me and my daughter. Please share and just be hyper careful on your phones. Here is most of her spending spree!! [Details of purchases for “virtual products” from the described app, ranging from GBP 1.99 to GBP 99.99 – Lauren]

– – – – – –

Using Google’s Daydream VR Headset for Augmented Reality and Positional Tracking Applications

When paired with suitable higher-end Google, Samsung, or various other brands of smartphones, the Google Daydream VR headset (currently in its second generation “2017” version, which is the version I’m discussing in this post) offers an extremely inexpensive path for “virtual reality” and other related experiences and experiments (the headset sometimes goes on sale for as little as $50).

In addition to of course being able to display Daydream-compatible VR apps, when a suitable Samsung phone is used it is also possible (via an interesting sequence of actions) to use many Oculus/Samsung Gear VR headset apps with the Daydream headset as well (feel free to contact me if you’re interested in the details on this).

At first glance (no pun intended) one would assume that Daydream headsets are unsuitable for “augmented reality” VR applications that require use of the phone camera, since the Daydream flap that holds the phone in place completely blocks the back of the phone and the camera lens.

This also seemingly eliminates the possibility of Daydream headset experimentation with “inside-out” 6DOF (six degrees of freedom) positional tracking applications, which could otherwise leverage the phone’s camera and Google’s “ARCore” platform to provide these capabilities that conventionally have only been available with far more expensive VR headsets.

We might consider cutting a hole through the rather thick flap of the headset (which also includes an integral heat sink — important when the flap is closed), but that’s messy at best, risks accidentally damaging embedded NFC tags, and is dependent on the exact position of the camera lens for any specific phone.

So here’s my alternative that requires zero modification of the Daydream headset itself, and only a few simple parts to achieve — an elastic strap to hold the phone in place with the flap of the headset left open and the phone camera lens exposed for use. The completed strap is simple to install or remove from the headset at any time, since the flap can be pulled outward to create a gap for this purpose.

To view a set of photos showing the assembly sequence and the finished design, please visit:

I used a piece of elastic that already had a plastic catch on the end of suitable size to hold the elastic in place under the flap hinge. Alternatively almost anything of similar dimensions could be attached to a strip of elastic to achieve the same result.

You simply slide the completed assembly between the flap of the headset and the main part of the headset, strap in the phone, and you’re ready to go. I originally tested this using a metal washer, but decided that even wrapped in tape there was some risk of scratching the phone. A better protected metal washer would probably be fine. I printed up a custom-sized plastic washer to use instead.

The elastic holds the phone in place quite snugly, though with enough violent head motion it might be possible to force the phone to slide out from under the elastic. It should be straightforward to slip little barriers on the sides to avoid this, or simply avoid violent head motions! Also keep in mind that you don’t want to apply significant downward pressure to the open flap, since that would risk potentially breaking the plastic supports that keep it from falling further open.

Anyway, it’s really just the elastic, the washer, and several small cable ties!

OK, it’s a hack. No apologies.

If you have any questions, please let me know!

And of course, be seeing you.


Google’s Lightning-Fast Response to My “Trusted Contacts” Concerns

Very recently I discussed my concerns regarding several issues related to Google’s “Trusted Contacts” service. Trusted Contacts permits users to send their current location data to other users as notifications.

The situation was triggered when I suddenly began receiving such location data notifications from somebody I’d never heard of in Africa. Address typos? Trying to attract my attention for some other reason? I dunno.

But stopping those emailed notifications was easier said than done, because it turned out that there was no way to do so from a web page, and the only available mechanism to block them was usable only via the Trusted Contacts smartphone app that needed to be installed, which required enabling of Location History which I don’t ordinarily use. After installing the app (which I had no personal interest in installing otherwise, and which of course a person without a suitable smartphone would not have been able to do) I was ultimately able to stop the notifications. Not a good user experience.

Since then, I’ve already been contacted directly by Google’s privacy and maps teams about these issues, and they’ve now implemented the means for users to easily unsubscribe from such notifications via a web page — without the need for installing an app. Other very useful changes related to the issues that I identified are apparently in the pipeline for availability.

My great thanks to the Google teams involved for so rapidly reaching out to me regarding these matters, and especially for the ultra-quick implementation of the web-based Trusted Contacts notifications unsubscribe tool that is now available to desktop users!


Google Predictably Makes a Confused Jumble Out of New YouTube, Music Offerings

An old saying suggests that the only inevitabilities are death and taxes.  When it comes to Google, there are a couple more that we can add. Google will likely always have an array of often incompatible and overlapping “chat” programs and systems — and their paid video and music offerings will be a maze of twisty passages, all different.

Google hasn’t disappointed in that respect with the manner in which word has gotten out about their latest paid content changes. The one thing that seems clear is that the brand “YouTube Red” is apparently going away. But after that, everything is about as easy to understand as hieroglyphics prior to the discovery of the Rosetta Stone. 

YouTube Premium, YouTube Music. YouTube Music Premium. And what of Google Play Music (for free, purchased, and uploaded music) — which Google in their tweets (trying to calm down confused onlookers on Twitter) says is continuing for now?

I tried to figure it all out last night and got a terrible headache that forced me to quit. This morning, it’s all as clear as mud.

There are a couple of things that I’m fairly sure about. At the moment I’m in Google’s “family plan” for $15/month that gives me both YouTube Red and Google Play Music paid services for up to six accounts. I use it mainly for ad-free YouTube viewing and to be able to simultaneously stream different music to different Google Home devices without conflict, from music sources on Play Music and YouTube.

I’ve been led to believe that for existing subscribers of these services under their new names, there are no immediate price changes — though likely that’s coming down the line. It appears that obtaining the same mix of content under Google’s new plans will cost new subscribers more (though they may be able to lock in current prices for a time if they subscribe to the existing plans before the new plans launch reportedly next week).

But how much more will the new services cost going forward? Perhaps the Sphinx could figure it all out. I’ve seen so many different numbers and combinations of services now — not to mention that the future and form of Play Music still seems up in the air — that the only thing seeming certain is uncertainty itself.

I do know that for essentially the same paid mix of video and music content that I receive now from Google, I’d personally probably be willing to pay a wee bit more. But not much more and/or for a more limited set of content. In such latter eventualities, I’d be tempted to drop all of these Google paid content services entirely.

For the moment though, I think that I will sit tight for a bit, and wait for some sort of clarity to hopefully eventually shine its light on this current but predictable Google communications confusion.

Isn’t it nice to have a hobby?


The Amazing 360 VR “Scoring the Last Jedi” Video

I just watched “Scoring The Last Jedi: a 360 VR Experience” – – for the first time, via a Google Daydream VR headset. It’s absolutely stunning, especially if you’re a lifetime fan of film scoring as I am.

Frankly, I was smiling like an idiot through the entire video. Put aside the flight simulators and the games for a moment — if you have the VR hardware to watch this baby (Google Cardboard will work fine too, if your smartphone has a good gyro), it demonstrates — better than anything else I’ve seen so far — what the potential is for VR to transport you almost physically to a different time and place.

Be warned, just watching this on YouTube without a VR headset is like an ant compared with a skyscraper. You really must see it in VR to properly experience this video.

As I’ve said previously, this kind of tech will ultimately either save civilization — or destroy it. It’s really that important.

Trust me on this.