Touch ID is a useful and convenient feature. It allows users to unlock their iPhone or approve a purchase almost instantly. Unfortunately, the same feature is now being used by some to trick users into spending significant sums of money on worthless services, but thanks to Redditors, the Touch ID scam is now exposed.
How the Touch ID scam works
This Touch ID scam, which was discovered by Redditors and reported by the WeLiveSecurity blog, tricks users into making in-app purchases amounting to as much as $119.99. According to the Redditors, some iOS apps disguised as fitness apps encourage users to scan their fingerprints so they can be linked to their fitness data, but in reality, the apps use the scan to get approval for in-app purchases.
Scam iOS apps has been found on Apple App Store tricking users to pay over $100
— Lukas Stefanko (@LukasStefanko) December 3, 2018
Several users reported two such apps over the last week: Fitness Balance and Calories Tracker. Both apps, which have now been removed, used similar tactics to trick users. These apps first ask users to put their fingerprint on the Touch ID scanner for 10 seconds to help them “create [a] personalized diet and other stuff.”
Once the user puts their finger on the scanner, a request for an in-app purchase payment pops up. The app also dims the screen to make the pop-up harder to see. If the user declines to use the Touch ID, it asks the user to select “continue,” and then the app tries the Touch ID scam an infinite number of times until the user gives in or uninstalls it.
Since their fingers are already on the Touch ID pad, the payment request is approved instantly without users getting any chance to revert the process. This Touch ID scam was able to trick users because it’s a seamless process.
“As soon as you put your finger on there, it starts scanning, so it’s ready and acting very quickly,” says Stephen Cobb, a senior security researcher at cyber-security firm ESET. “Someone cleverly figured out they could use the way that’s implemented to get people to do things that they don’t want to do.”
Both apps appeared credible
The Fitness Balance app had an average rating of 4.3 stars and 18 mostly positive reviews, according to WeLiveSecurity. According to app analytics firm Sensor Tower, the Fitness Balance app raked in $10,000 in November, while the Calories Tracker app earned $60,000.
Both shady apps had similar user interfaces, suggesting they were from the same developer. Although Apple has removed them, there is no guarantee that the App Store has been cleansed from such apps. Now that Apple knows how the Touch ID can be misused, hopefully it will place more filters to block or detect such apps.
Some users who were duped by the apps say their requests for refunds are processing and should be completed in 30 days. Other users who fell victim to the Touch ID scam are advised to contact Apple for a refund. To learn about App Store refund procedures, visit Apple’s support page.
As of now, there is no comment from Apple on the matter.
How to avoid such apps
It must be noted that the Touch ID scam may not trick users with an iPhone X or later. These devices don’t have a home button, and so to use Apple Pay using Face ID, you will have to double-press the side button. For users with older iPhones, the best way to avoid such apps is to stay alert and not use the Touch ID on apps you don’t trust or aren’t sure about. Users with older iPhones can also disable Touch ID payments by going to Settings -> Touch ID & Passcode and then disabling “User Touch ID for iTunes & App Store.”
Apple’s developer guidelines strictly prohibit apps from tricking users into “making unwanted purchases” or trying to “charge for features or content that are not delivered.” Developers violating these guidelines risk being banned for life.
Even though Apple has a decent track record when it comes to App Store security, there have been a few instances of shady apps troubling users. For example, in 2017, a fake port of the Xbox game Cuphead made its way into the store. In 2012, a fake Game Boy classic Pokemon Yellow game also entered the App Store, but it was quickly removed.