How this Touch ID scam can cost iPhone users hundreds of dollars

We trust Apple to protect us against scammers and malware in exchange for the hefty cut it takes from every dollar we spend in the iOS App Store. And to be fair, the company does a fairly decent job of keeping malicious apps out of its mobile app market. The App Store’s rigorous vetting process makes sure every app that finds its way into its digital shelves adheres to security rules and doesn’t contain malicious code.

However, occasionally, scammers and hackers find ways to slip through the App Store’s safeguards. This month, redditors exposed two fitness apps on App Store that used clever tactics to defraud users out of their money.

What made the scam especially significant is that avoiding it requires awareness and quick reflexes by the user. The apps also made use of the normal functionality of iOS apps and didn’t contain any malicious code, which makes it harder for the App Store security team to detect it.

How the Touch ID scam works

“Fitness Balance” and “Calories Tracker” introduce themselves as two apps that provide health assistance and diet recommendation. When you launch the apps for the first time, they require you to pass a fingerprint scan to create a health profile for you. This sounds like a fair way to protect sensitive health information.

But as you’re going through the scanning process, the app suddenly pops up a payment approval request. Since your finger is already on the fingerprint scanner, iOS will automatically approve the payment and the popup will disappear in mere seconds.

If you manage to retract your finger and skip the payment, the app will show another popup and insist that you need to go through the fingerprint scanning process again so that it can charge you. In the screenshots shared, users were getting hit with fees over $100.

What’s interesting is that the scammy apps are using functionality that is perfectly legal, which is to get the user’s confirmation for the payment. However, they’re using it in a deceitful manner, which is a violation of the App Store’s Terms of Service.

What’s even more notable is that when users contacted the developer and communicated the issue, the developer replied with an automated response, claiming they’re “working hard to fix it.”

touch id scam

How to protect yourself

First things first, Apple has already removed both apps after users reported them. Also, if you’ve been scammed by any of the apps, you’re eligible for a refund, since the app has violated Apple’s rule of not tricking users into spending money.

However, there’s no guarantee that a similar—or worse—scam doesn’t find its way into the App Store. Here are several tips that can help you identify and avoid such scams.

  1. Prefer trusted developers: When downloading apps that provide extremely common functionalities, such as fitness and calorie tracking, try to choose a reliable developer. Reputable apps should have thousands of downloads and hundreds of reviews. Their developers should also have a verifiable online presence (website, social media accounts, LinkedIn, etc.).
  2. User reviews are important: Reviews can tell much about the app you’re about to install. Both of these apps had few reviews, and all of them were positive, which is suspicious. As ESET’s Lukas Stefanko explains, positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.
  3. iPhone X users are protected: Since the scam is designed to work with fingerprint scanners, it won’t work iPhone X, because it has ditched Touch ID for Face ID, Apple’s facial recognition technology. Payment and app install approvals on iPhone X require a double click of the power button and a face scan.
Ben Dickson

Ben Dickson

Ben Dickson is a software engineer and founder of TechTalks. His work has been published by TechCrunch, VentureBeat, the Next Web, PC Magazine, Huffington Post, and Motherboard, among others.