Apple offers a closed system for iOS applications where you know each one has been tested and approved and it’s very hard to find a malicious app from the store.
Since the launch of fingerprint approval with the iPhone 5S, apps include in-app payment option using Touch ID where these payments are secured by a fingerprint and leaves the user believing that the process is seamless, secure and only authorised by themselves.
Sadly it appears rogue developers have found a method of getting people to download their app and securing funds maliciously, often without a user even recognised they’ve paid a fee.
ESET, a well-known US security brand, has found two fitness apps which used Touch ID to extract unauthorised payments from users from within the apps. The two apps were live on the Apple app store as “Calories Tracker app” and “Fitness Balance app” clearly aimed towards anyone who was searching for an app to track their calories.
Each app would require you to authorise access and to “view your personalized calorie tracker and diet recommendations” which most people would automatically approve. Problem is, the same process also approves payments and what these apps were doing was obtaining your fingerprint to charge an unauthorised fee. Both apps would ask for a fingerprint, quickly flash up a payment warning and charge the user $120 each time the user accessed the app. The warning was visible for less than a second.
The worrying part of this scam was the apps had multiple 5-star ratings and over 18 mostly positive reviews, so any user looking for these apps would think other users had rated them highly, before downloading. If users reported the issue to the developer, they were told to wait for the new 1.1 version to fix any outstanding errors and issues.
ESET doesn’t offer too many solutions on how to avoid these rogue apps as, like they rightly argue, only Apple can authorise these apps and won’t allow you to install security software on your iOS device, meaning you solely rely on Apple’s judgement and approval process to keep you secure. ESET does state that the iPhone X/XR/XS has a double-click to approve function, which means iPhoneX/XR/XS users less likely to be scammed in this manner.
Both apps have been removed from the App Store.
View the original ESET blog post.