About My Dead Side Project, Cashify

Cashify Logo with Chart

It's been well over a year since was Cashify shut down, so I'm way overdue for a postmortem.

Cashify was an Android app that allowed users to exchange their Google Play credits for actual USD (sent to the user's Dwolla account). I've already written in detail about building it and exactly how it worked.

The Growth

I launched Cashify in August of 2014, and the last the last time I talked about Cashify on here it wasn't making any money (to be exact: I had made -$24). I never marketed the app and didn't really care that it wasn't making money; in my eyes the app paid for itself just through the experience and knowledge gained by building it. It cruised along at a nice pace of $0-1/month (total sales) and a total of 0 hours of maintenance and overhead (my legacy Heroku free/hobby tier account is one of my most valuable possessions) until October of 2015 when it was discovered by a redditor who posted it to https://reddit.com/r/beermoney.

  • October 2015 set a new record for me: $65 in sales! I made $6 that month. Pretty awesome!
  • November: About $200 in profit.
  • December gets fun: Almost $1000 in profit!

December was the month I ran out of money I was comfortable sending to people. The way Google Play pays developers for their in-app purchases (IAPs) is this: all IAPS in one month get paid out on the 15th of the next month. So, if a user purchased $10 from Cashify on December 1st, I send them $6 cash on December 1st, and Google pays me $7 on January 15th. That's 45 days where the money is gone from my bank account and in the loving and caring hands of The Big G.

Getting Creative (Risky Business)

Once I hit ~$7,500 of expenditure, I stopped being comfortable financing this from my personal checking account. This happened to coincide with Christmas week...where everyone is getting giftcards from (grand)parents and family. Terrible timing. I had about 100 people sending me emails and Reddit DMs about how the app is refusing to let them cash out (the app automatically checked my Dwolla account's balance at every button press so I wouldn't accidentally rob anyone).

I'm pretty risk adverse so I decided to just refuse money for a while. Which after a few days I realized was crazy. So I found a way of borrowing money for exactly zero dollars, as long as I could pay it back in ~30-45 days: credit cards.

First, I found the bank of all banks (for my needs, anyway): BBVA Compass. They'll let you open an account with a credit card and they don't charge any fees, and then instantly transfer the account balance to a Dwolla account for immediate availability.

Not thinking about the fees behind using a credit card to get a cash advance, I chose to use my Banana Republic credit cards over a card that offered cash back because I was sooooo close to getting that extra $5 bonus I could spend at Banana Republic.

Then something magical happened: I realized my mistake — that'd I'd be paying exorbitant fees for the cash advance — and logged in Banana Republic account to check the damage. But lo-and-behold: they didn't charge any fees for the cash advance!

So I maxed out my Banana Republic cards and Cashify was back in business!

January saw more insane growth and in February sales started leveling off (probably due to copy-cat apps sprouting up).

Theft

Cashify itself was secure enough, maybe. I had thousands of attempts of manual hacking, replay attacks, and fuzzing thrown at my server and never had any issues.

Some large bookstore chain was not so lucky. I got a call from an investigator from this large bookstore chain, who had found my number through Google, asking about Cashify. He ultimately concluded I was an ally and told me that someone had socially-engineered someone at their stores and thousands of dollars worth of gift cards to Google Play, Ebay, Macys, and more (can't remember them all) were stolen.

These gift cards were then sold online, and at least one was used in Cashify. I offered to pay them for the card(s) used in Cashify, but it must have been such an insignificant amount in the grand scheme of the theft that it wouldn't have mattered and they declined.

In case you are wondering about if Google will just hand out your personal transaction information to any old investigator that calls them, they won't. The investigator contacted me because Google wouldn't give them any other information.

Google's Sandbox

Cashify is past-tense. But not on purpose.

I had PayPal integration ready to go, with plenty of money at-the-ready for a global launch (Cashify was US only), and bitcoin integration coming soon. It was February 29th 2016, I was watching a movie at the movie theater with my wife and daughter (LPT: turn off your phone when you are with your family), when I got the email:

This is a notification that your application, Cashify, with package ID com.pxcoach.credittocash, has been suspended from Google Play for violations of the Developer Distribution Agreement and Google Payments terms of service.

All violations are tracked. Additional suspensions of any nature or termination of your merchant account may result in the termination of your Play developer account, and investigation and possible termination of related Google accounts. If your account is terminated, payments will cease and Google may recover the proceeds of any past sales and/or the cost of any associated fees (such as chargebacks and transaction fees) from you.

Gulp.

Google has since cleared up some murky bits of their TOS, but at the time (August 2014), and through some very biased interpretation of their TOS, Cashify just looked like an app no one had thought of yet.

Although Google will not comment on app suspensions, I'm pretty certain they did not agree with my interpretation of their TOS (the giftcard terms were much more explicit: forbidding any cash value of the Google Play Credits).

Some interesting things happen to your Google account when you get an email like this (at least at the time):

  • You can't buy things connected to your Google account... like domains. Like the ones that were supposed to auto-renew the next day but didn't.
  • Contact forms and support pages related to finance disappear. All of them. Seriously. net::ERR_TOO_MANY_REDIRECTS gets old after a while.
  • Financial reports? Nope. You don't get to know how much we're not going to pay you.
  • Refunds? Nope. Can't issue those either.
  • Google Play Credits? What Google Play Credits?

It took about five months of emailing and filling out forms (obviously under a different Google account) before I finally got someone at Google to look into my case; I don't even know what finally worked. They sent me a check, which ended up being less than I thought it should have been. But I was happy.

Regrets

I don't have any regrets, it was so much fun and educational. But I absolutely wouldn't do it again. It was definitely a violation of their TOS, and they eventually did pay me. I'm still a happy Google user.

I've also since learned that Cashify accidentally turned Google (and thus Cashify) into a joint money transmitter, which is a regulated industry and is illegal to operate without a license, per 18 U.S. Code § 1960:

(a) Whoever knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business, shall be fined in accordance with this title or imprisoned not more than 5 years, or both.

And the fine is $5,000 per day. Ouch.

Google did us both a favor by shutting me down (though I imagine they are already licensed for money transmission).

I'm really hoping FinCEN's own interpretation of "knowingly conducts an unlicensed money transmitting business" isn't Ignorantia juris non excusat and is more "he didn't know it was considered a money transmission service so the penalty doesn't apply and he would have stopped immediately had he known".

"The laws that we are supposed to be fully aware of and abide by are so complex that there is an entire profession dedicated to understanding them. One that takes 8 years to master."
 /u/teamrango

Learning

It's obvious, really, but sometimes the obvious is still worth saying: a TOS is not open to your own interpretation.

Whenever I want do anything with a product where I'll need to pause for a moment to think if this could violate its TOS I stop, print it, grab a highlighter, relax on the couch, and read it cover to cover. If I have any doubts, I call/email the service operator, if possible, to make sure.

Even if the TOS doesn't mention some use case that violates the spirit of it, and I think I've found a loophole, I'll call. I recently found a service I needed with a TOS that didn't forbid automated scraping and long-term use and storage of their data during the trial period; but clearly the owner would not want this. I could have scraped well over 6 figures worth of data, all while still falling within their TOS. Instead, I called them, explained what I'm building and worked out an amazing deal and long-term relationship with them.

Do unto others as they would have you do unto them.
 – The Platinum Rule

I also learned that there are laws surrounding money so deep FinCEN could probably find a way to get you in legal trouble for paying the kid down the street to mow your lawn. If you are one-man-shop, meaning you aren't working with a knowledgeable attorney, don't transfer money to/from people at scale.

Comments for this blog entry