[Update: 4:58 ET: The app is no longer available on the App Store.]
Despite Apple’s strict review process for software distributed through the App Store, it’s still possible for malicious actors to take advantage of loop holes in the system to scam customers.
The latest example is a rather sophisticated and devious trick used by an app that claims to read your heart rate through your fingertip using Touch ID. In reality, the app (which is currently on the App Store) uses your fingerprint to authorize a transaction for $89.99 while dramatically dimming the screen to fool you.
The con is less effective on iPhones and iPads with Face ID (iPhone X and later and iPad Pro 2018), but iOS devices with Touch ID are still likely the majority of devices in use today.
Using a third-party app from the App Store to read your heart rate from the iPhone or iPad isn’t uncommon either. Apps like Instant Heart Rate: HR Monitor have long used the camera and flash to attempt to take heart rate measurements through the finger.
In the case of the ‘Heart Rate Measurement’ app currently on the App Store, the scam relies on a user not reading the dialog box that appears when a heart rate reading is attempted. The screen brightness drops to its lowest point and the black and white in-app purchase user interface is almost illegible compared to the bright red fingerprint icon that appears on-screen with Touch ID devices.
(Devices with Touch ID disabled or Face ID are less prone to the trick.)
While the app clearly violates App Store policy for misleading customers with ridiculous in-app purchases unrelated to the app’s function, it’s possible that the trick used by the app was added after Apple’s app review process.
Apple requires approval for in-app purchases during app review, but not for changing the amount (from 99¢ to $89.99, for example). The malicious app may also be flying under the radar as it largely targets Portuguese speaking customers, but does support English as well.
Apple can rely on user reports and press coverage to find bad actors like this scam app, but a post-approval review process for changes like in-app purchase adjustments may also be necessary. That’s unfortunate for developers as it adds yet another step between making business changes and reaching customers.
Apple could also add a Report Suspicious Apps action button to the App Store page to make it easier to report malicious apps.
We expect the app in question to be removed, but it’s certainly not the first App Store app to use the fingerprint authentication method to trick users into handing over money. Another app from a different developer account but possibly from the same developer appears to be using the same trick.
- Apple continues Chinese App Store sweep, removing over 700 apps for improper updates
- Apple appears to crack down on deceptive in-app subscriptions, pulling apps that ‘may mislead or confuse’
- Comment: Apple needs to clamp down on App Store abuse hard and fast (2017)