iOS app scammed users to authorize IAP with Touch ID

Google and Android have yet again come under fire for another batch of apps that either spread malware or practice fraud from under Google's and users' noses. Of course, many took the chance to point out Apple's closed but effective review process that blocks such apps from even getting into the App Store. But it's precisely because of that tight process that when misbehaving apps do get in, it's an even bigger problem.

The app in question, a certain third-party "Heart Rate Measurement" app, is now gone from the App Store, though perhaps a bit too late. Hopefully, it didn't do much damage, because the in-app purchase it deceived people into paying amounted to $90.

It does so by requesting users to place their finger on the Touch ID button to read their heart rate, something that the sensor isn't actually able to do. It then dims the screen to its darkest to hide the fact that it's actually bringing up the IAP confirmation screen. The moment you place your finger on the sensor, the payment is made. That scam is revealed when used on an iPhone X or later which, of course, has no Touch ID in the first place.

How did such an app get past Apple's review process in the first place? There are various theories, but one that might be the biggest problem is the review process itself. The app may have started out innocent enough to get through scrutiny but since Apple doesn't review changes to in-app pricing, the "trick" could have been sneaked into that update instead.

This incident, which was hopefully isolated in Portuguese markets, does show that Apple may need to review its review process. As scammers and criminals get more creative, daring, and desperate, they will come up with more cunning ways to beat the system. And when you boast of having the best security system in town, even one intrusion, even small, is an even bigger embarrassment.