While Apple has shifted away from Touch ID for its newest products, the feature is still very popular and still very common out there in the real world.
Which means there is still the opportunity for rogue developers to try and scam iPhone and iPad customers that are using the biometric security measure. The latest development comes from a pair of apps, “Calories Tracker” and “Fitness Balance”, that try to use the Touch ID fingerprint sensor as a way to scam upwards of $99.99 from users. The worst part of it is that it’s because Touch ID works so well that these scams can even work at all.
Reddit users spotted the apps over the last week or so. Here’s how it works: The apps have a feature related to “fitness tracking” baked into them, which relies on the app user to put their finger on the Touch ID sensor to “create personalized diet and other stuff”. While the user has their finger on the fingerprint reader, the app will then toss up a pop-up for an in-app purchase for various sums of money, up to $100. And since the person already has their finger on the Touch ID sensor, and because the feature works so well, it may be too late to recognize that the app is trying to confirm a purchase of up to $100 with your fingerprint security.
Here it is in action:
Scam iOS apps has been found on Apple App Store tricking users to pay over $100
— Lukas Stefanko (@LukasStefanko) December 3, 2018
The user is instructed to keep their finger in place for 10 seconds, so they may even stop paying attention to the screen during that time, making it even easier for a scam like this to happen.
The apps are similar in design so it’s likely that they were designed by the same person, or people. And, at the time of publication, both have been removed from the App Store. However, use this as a cautionary tale. Always make doubly sure you know what you’re getting into when downloading and installing an app, even from the App Store, and keep an eye out for scams of all kinds. Scam apps from rogue developers are all over the place, as developer David Barnard very succinctly outlined for us all recently.[via The Verge; ESET WeLiveSecurity]