A few scammy iOS applications have been taking advantage of Apple’s Touch ID platform by trying to trick users into making payments with false promises of using the fingerprint scans for fitness data, according to ESET’s WeLiveSecurity blog.
The two apps — called “Fitness Balance” and “Calories Tracker” — were spotted by various Reddit users over the last week, and both employ similar tactics. As part of their so-called “fitness tracking,” the apps ask users to place their fingerprint on the Touch ID scanner for 10 seconds, to “create personalized diet and other stuff.” While a user’s finger is placed on the pad, the app pops up an in-app purchase payment request for sums of money like $99.99. Since the user’s finger is already on the Touch ID pad, the request can be approved almost immediately.
This hack works because Touch ID is such a seamless process. By trying to be as fast and unobtrusive as possible, the phone starts scanning the finger that’s already on the pad as soon as the payment request pops up. The speed at which Touch ID works means that by the time a user has processed what’s going on, the payment has already been approved.
There are legitimate technologies that can provide fitness information like this, like the Apple Watch Series 4’s upcoming EKG feature that has users place their finger on a side button to measure their heart data. And while those features have nothing to do with fingerprint scanning, it’s easy to see how some users made the mistake of thinking that an iPhone could do something similar.
Based on the similar UI, it seems likely that both apps were created by the same developer. Fortunately, both seem to have been removed from the App Store, and hopefully Apple will keep a closer eye on this kind of UI hacking in the future.