- ‘American Dirt’ controversy inspires meme about Latinx stereotypes in literature Wednesday 9:02 PM
- What is the TikTok ‘flex challenge’? Wednesday 8:03 PM
- GoFundMe to send ‘Target Tori’ on vacation raises more than $30K Wednesday 6:54 PM
- Furries stop domestic assault in viral video Wednesday 6:10 PM
- Gritty under police investigation for allegedly punching a teen fan Wednesday 6:04 PM
- Twitter users throw animal parties with emoji in new meme Wednesday 5:21 PM
- Woman who went viral supporting Soleimani killing exposed as Libyan militia lobbyist Wednesday 5:01 PM
- Jeff Bezos subtweets Saudi prince following phone hack report Wednesday 3:29 PM
- ‘Yeah, good. OK’ Bernie Sanders meme is a new way to dismiss people Wednesday 3:10 PM
- ‘Vanderpump Rules’ recap: Petty displays of affection Wednesday 2:12 PM
- Makeup artist transforms into Timothée Chalamet on TikTok Wednesday 1:54 PM
- Iguanas are falling from trees—and people are selling them online for food Wednesday 1:02 PM
- 75,000 sign petition to fire Wendy Williams after ‘cleft lip’ comment about Joaquin Phoenix Wednesday 12:30 PM
- Kim Kardashian says Kylie Jenner’s setting spray is ‘cheap sh*t’ Wednesday 11:59 AM
- Trump continues to demand Apple unlock iPhones for the government Wednesday 11:46 AM
We trust Apple to protect us against scammers and malware in exchange for the hefty cut it takes from every dollar we spend in the iOS App Store. And to be fair, the company does a fairly decent job of keeping malicious apps out of its mobile app market. The App Store’s rigorous vetting process makes sure every app that finds its way into its digital shelves adheres to security rules and doesn’t contain malicious code.
However, occasionally, scammers and hackers find ways to slip through the App Store’s safeguards. This month, redditors exposed two fitness apps on App Store that used clever tactics to defraud users out of their money.
What made the scam especially significant is that avoiding it requires awareness and quick reflexes by the user. The apps also made use of the normal functionality of iOS apps and didn’t contain any malicious code, which makes it harder for the App Store security team to detect it.
How the Touch ID scam works
“Fitness Balance” and “Calories Tracker” introduce themselves as two apps that provide health assistance and diet recommendation. When you launch the apps for the first time, they require you to pass a fingerprint scan to create a health profile for you. This sounds like a fair way to protect sensitive health information.
But as you’re going through the scanning process, the app suddenly pops up a payment approval request. Since your finger is already on the fingerprint scanner, iOS will automatically approve the payment and the popup will disappear in mere seconds.
If you manage to retract your finger and skip the payment, the app will show another popup and insist that you need to go through the fingerprint scanning process again so that it can charge you. In the screenshots shared, users were getting hit with fees over $100.
What’s interesting is that the scammy apps are using functionality that is perfectly legal, which is to get the user’s confirmation for the payment. However, they’re using it in a deceitful manner, which is a violation of the App Store’s Terms of Service.
What’s even more notable is that when users contacted the developer and communicated the issue, the developer replied with an automated response, claiming they’re “working hard to fix it.”
How to protect yourself
First things first, Apple has already removed both apps after users reported them. Also, if you’ve been scammed by any of the apps, you’re eligible for a refund, since the app has violated Apple’s rule of not tricking users into spending money.
However, there’s no guarantee that a similar—or worse—scam doesn’t find its way into the App Store. Here are several tips that can help you identify and avoid such scams.
- Prefer trusted developers: When downloading apps that provide extremely common functionalities, such as fitness and calorie tracking, try to choose a reliable developer. Reputable apps should have thousands of downloads and hundreds of reviews. Their developers should also have a verifiable online presence (website, social media accounts, LinkedIn, etc.).
- User reviews are important: Reviews can tell much about the app you’re about to install. Both of these apps had few reviews, and all of them were positive, which is suspicious. As ESET’s Lukas Stefanko explains, positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.
- iPhone X users are protected: Since the scam is designed to work with fingerprint scanners, it won’t work iPhone X, because it has ditched Touch ID for Face ID, Apple’s facial recognition technology. Payment and app install approvals on iPhone X require a double click of the power button and a face scan.
Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.