A news item this week over at AppleInsider uncovered a troubling practice by a developer at the iTunes App Store. Apparently, users who downloaded a free massive multiplayer online game from a Chinese developer complained of unauthorized in-app purchases, running up the bills on their iTunes accounts. One user reported the situation to Apple resulting in him getting a refund for the fraudulent purchases and Apple promising to investigate the claims.

Even with a closed system like iTunes, apparently it is still possible for dishonest people to find a way to steal our money. Let's hope that Apple gets to the bottom of this case and finds a way to prevent these unauthorized purchases in the future. Until there's more news about this problem, be sure to regularly check your iTunes receipts (sent to the e-mail address attached to your iTunes account) for strange charges and report the issue to Apple if you have any problems.

This week's apps include a unique location-based social network app and an arcade golf game where you flick to win.

GeoGroups (Free) is a location-based social network service (like popular app Foursquare) but adds a few new wrinkles to make it both unique and useful. Like other apps in this genre, GeoGroups uses your iPhone's GPS capabilities to locate both commercial- and user-entered stores, cafes, pubs, and landmarks relative to your current location. You also can create your own group based around anything--not just stores and coffee shops, but the popular bench by the lake in your favorite park, for example. In other words, you can create a location anywhere for other users to discover so they can join the group and add their own content.

GeoGroups has all the features of similar location-based social network apps such as map views, directions to locations, and the ability to "check in" once you arrive. You also can snap pictures of locations to add to a post, send the post to Facebook, or send location info to another GeoGroups user or friend via e-mail. Particularly handy is the ability to create a private group (with friends or family members, for example) that tracks your locations in real time. You can even set up the real-time tracking to turn off after a specified amount of time so it's OK if you forget to turn it off.

GeoGroups offers 500 public groups (and counting) so you can get started right away and check out popular fishing spots, Wi-Fi hot spots, lighthouses, and waterfalls, as examples. With the ability to create your own locations, the possibilities are truly endless. Overall, if you've been thinking about diving into the world of location-based social network services, GeoGroups offers tons of content and lots of flexibility that will make it useful to just about anyone.

Flick Golf ($2.99) is a unique arcadelike take on golf, focusing on single shots and ball control to score points at one-stroke holes. Those looking for a complete golf game should look elsewhere, but Flick Golf has plenty to offer as a quick pick-up-and-play arcade game. Beautiful graphics make the courses of one-shot holes a joy to behold, and you'll be playing in landscapes from sunny California to wind-swept Scotland. Choose between two game types including World Tour, where you play nine-shot tournaments to try to advance to the next course; or Quickshot, where you'll try to score as many points as you can in 90 seconds.

True to its name, Flick Golf requires that you flick or swipe the screen upward through the ball to send your ball to the green. While in the air, you can swipe to add spin and actually change the direction of the ball before it hits the ground. Scoring is measured by where you land the ball in the target (a scoring area with concentric circles around the hole). You also get bonus points for how much spin you used to get the ball to your target and whether you hit the pin with your shot.

As you progress through the game, you'll be challenged by difficult courses with gail-force winds you'll need to account for every time you take a shot. Fortunately, the ability to spin the ball while it's in the air will save your less than perfect shots, but a good shot makes it easier to get high-scoring hole-in-one shots. So far I have only hit one perfect shot (a "swish" shot directly into the hole) so even with all the ball control, there is plenty of challenge in this game.

Overall, Flick Golf is a great pick-up-and-play arcade golf game with beautiful graphics, precise controls, and plenty of challenge when you just want to waste a little time. You can also buy Flick Golf for iPad ($4.99).

What's your favorite iPhone app? Do you like the added flexibility for locations in GeoGroups? Have you hit a perfect shot in Flick Golf? Let me know in the comments!

'Tis the season to put the smackdown on everybody's favorite brain-munching undead horde: zombies. Of course, now that AMC's incredible "The Walking Dead" has ended its first season, you'll need something to tide you over until the flesh-eaters rise again. Look no further than these three new iOS games:

Dead Rising Mobile It's the classic story: man travels to small town, discovers it's been overrun by zombies, and holes up in the local mall--where said zombies arrive in wave after wave. Dead Rising Mobile ($4.99) won't win any beauty contests, but it offers a few cool twists.

For one thing, you can pick up anything (frying pan, golf club, park bench) and use it as a weapon. Plus, it integrates with Facebook and Twitter to notify friends when you bite the dust--and lets them "revive" you. You can even appear as a "named zombie" in their version of the game.

Zombies Ala Mode  Nothing tops off a feast of brains like a nice ice cream cone. In the comedic, cartoony Zombies Ala Mode, you're the soda jerk charged with serving the undead, which means catching falling scoops in the right flavors and amounts. The game is fairly simplistic--something kids will probably enjoy more than adults--but it's a fun little diversion and completely gore-free. (How many other zombie games can say that?) It's currently on sale for $1.99.

ZombieSmash HD  A longtime favorite for the iPhone and iPod, the castle defense-inspired ZombieSmash is finally available in HD form for the iPad. (Actually, not just yet: it's due for release on Dec. 16.) The update makes good use of the iPad's bigger screen, offering more zombie hordes and support for multitouch (for extra zombie-flinging goodness). Don't know the price just yet, but as long as it's under $5, it'll be worth it.

If these titles don't satisfy your zombie-whompin' cravings, be sure to check out 5 iPhone games for zombie lovers (and haters) and Braaaains: 5 more iPhone games for zombie lovers/haters.

Originally posted at iPhone Atlas

Enthusiasm for a promising new standard called Web Sockets has quickly cooled in some quarters as a potential security problem led some browser makers to hastily postpone support.

The Web Sockets technology, which opens up a live communication link between a browser and a server, remains an important part of plans to make the Web a home for more dynamic, interactive sites. It could, for example, speed up Google Instant searching and multiplayer games. But Mozilla and Opera put their Web Socket plans on hold this week until the wrinkles are ironed out.

The reversal is only the latest difficulty, though. Web Sockets development already had become somewhat contentious as eager browser makers--Google in particular--began including support for a specification they knew wasn't done. Overall, the Web Sockets history illustrates some pitfalls of the style and pace of Web standards development.

When technology companies are working on the next version of standards for Ethernet or USB, much of the work happens among dedicated engineers informed by work at test labs. But with the Web, the entire Internet is the test lab. That's because Web developers, not just browser makers and other industry powers, play a role in early-stage work shaping specifications and gauging interest.

Browser makers, naturally eager to curry favor with this influential audience in the highly competitive browser market, race to include new technology. With Web Sockets, Google was the first with a version of Chrome a year ago. Apple has followed suit with Safari 5; Mozilla had been building Web Sockets into the upcoming Firefox 4 and Opera into its upcoming Opera 11.

Web Sockets problem
Now, though, plans are shifting with publication of a security problem by Adam Barth, a programmer with extensive browser security expertise. In a November 26 paper (PDF), Barth pointed out a problem with the "handshake" used to set up Web Sockets connections. By exploiting it, an attacker could get a browser to run malicious code through a mechanism called cache poisoning, Barth and the paper's co-authors said.

"Although raw socket access is an important capability for full-featured browser-based applications, providing sockets safely has proven to be challenging," the paper said. The paper proposed a new, more secure mechanism that has won support among browser makers.

The backtracking came a few days later.

"We've decided to disable support for WebSockets in Firefox 4, starting with beta 8 due to a protocol-level security issue," Christopher Blizzard, a Mozilla leader of new-technology work, said in a blog post. "Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox, even a minor update release...To be clear, we're still excited about what WebSockets offers and we're working hard with the IETF [Internet Engineering Task Force] on a new WebSockets protocol." (Although the World Wide Web Consortium (W3C) is standardizing Web Sockets as part of HTML5, the IETF is in charge of the actual communication protocol it uses.)

Next came Opera. "Until the new WebSocket protocol handshake is sorted out by the IETF it will be behind a preference in Opera," Anne van Kesteren, who works on standards for Opera, said in another blog post.

Apple hasn't made commitments, but it appears to be concerned too. "We would be hesitant to ship protocol updates that do not fix the handshake. Given the security issues identified by the paper from Adam and company, we would even consider disabling WebSocket entirely in future releases until there is a more robust handshake," Maciej Stachowiak, a lead developer of Apple's Safari, said in a mailing list post.

Microsoft, which is trying to make up for lost time supporting new Web standards with Internet Explorer 9, was more cautious about Web Sockets support even before the security problem arose. So its commentary on the matter took the form of an I-told-you-so in a blog post by Web technical evangelist Giorgio Sardo.

"Rushing the implementation of a specific feature and call it "done deal" is dangerous and in some circumstance can bring to unpleasant results," Sardo said.

But Google, which employs Web Sockets editor Ian Fette, sees things differently from the rest of the pack. Fette had this to say in a statement to CNET:

We are not hiding it behind a flag at the current point in time. We released the details of the research to help guide the working group towards what we believe will be a more secure version of the Web Sockets protocol, and are hoping that the group will reach consensus in the next few weeks. We already have detailed a proposal for a more secure version, and are addressing various concerns that have been raised by others in the standards community.

It's important to note that the research paper Adam Barth et al. published does not demonstrate a working attack against the actual Web Socket implementation, but rather against one part [of] the protocol taken in isolation. There are other parts of the protocol that would make an actual attack more complicated in practice. We believe there will be consensus on a new version of the protocol, and implementation in Chrome of that new version, before someone is able to actually demonstrate an attack against the full Web Socket protocol as currently shipping in Chrome.

Web Sockets' background
In the early days of the Web, communications between browsers and servers were limited. A browser would request a Web page and a server would deliver it.

The modern Web, though, needs more. Web sites are becoming actively updated, and Web applications must communicate with the outside world. To that end, programmers have come up with workarounds such as Comet and long polling to try to keep a communications channel open.

Web Sockets is designed to make this task much easier to program and much faster in operation.

That could be very useful for many dynamic Web tasks--for example a site with live-streaming updates or multiplayer games with real-time interaction. Another example, from Fette, is a Web-based e-mail program: typing a letter in the "To:" field, the server might want to start providing a list of names or e-mail addresses that begin with that letter, then update the list when the next letter is typed.

That sort of communication is exactly what goes on with Google Instant, which provides search results on the fly, so it's not hard to imagine that Google would like Web Sockets there, too, in its obsession over cutting any millisecond possible out of the search process.

The technology has two important attributes. One is low latency: there's a smaller delay between when a message is sent and when it's received than using current approaches. Another is that Web Sockets doesn't use as much data.

It's therefore no surprise that browser makers were eager to embrace Web Sockets. Google, with its Chrome OS and Chrome Web Store push to enable a world of rich Web applications, has a particularly strong incentive.

Breaking changes
Even before the new security problem, the Web Sockets development had been contentious as Google and others issued browsers using the early "-76" version of the technology. One issue was whether Web Sockets support should be tucked behind what's called a vendor prefix. That would mean a Web programmer would call upon the feature using browser-specific instructions. That approach protects against Web sites breaking when the final, incompatible version is released later.

The debate about how to handle early-stage Web Sockets support has been going for months on the Mozilla mailing list.

"I think the best strategy is to just keep breaking people to force the expectation that this is still a work in progress, and if you're not aware of that you shouldn't be using it," Fette said in one comment. "From the browser perspective, my intent is to keep pushing out new revisions, with the assumption that we auto-update and will not have old versions lying around to deal with."

But not everybody updates software as diligently as might be ideal. That can lead to difficulties ensuring new technology doesn't break older technology, even if the older technology doesn't comply with modern standards.

"Personally I like Web Sockets. I'm looking forward to seeing them available in all browsers. But I also do care about consistent implementations, that work the same (interoperable, secure, stable) way across any browser--over time," Sardo said. "I don't want to write some code today, falling in the '(non) Web Standard trap,' and then have to re-write my code in 1 year from now because that particular implementation wasn't exactly ready for prime time yet and has been removed or changed."

In his comment to CNET, Fette defended Google's approach, including shipping Web Sockets early in Chrome with the possibility that its underlying technology would change.

"We have gained a good deal of insight by having an implementation we and others can experiment with," Fette said, including details about message sizes, compression, and interactions with the complex realities of networking. "I don't think it would be possible to do this work without that ability to experiment."

Because of that value, it's not likely that Web standards development will stop relying on real-world trials.

But what is changing is that development's pace. Google has a sense of urgency around developing Web Sockets. But with other major browser powers concluding otherwise, it's clear that Web Sockets' momentum has been slowed.

Originally posted at Deep Tech