App Store scammers are making thousands of dollars by exploiting TouchID
Shady developers have found a new way to trick users into spending ridiculous sums of money on worthless services.
The scheme, which was discovered by Redditors and reported by the , uses TouchID to trick users into in-app purchases, which can be as high as $99.99.
The blog uncovered two such examples, both from purported fitness apps. In both cases, the apps instruct users to hold their finger over their iPhone‘s home button in order to “scan” their fingerprint for health data. While the “scan” is happening, though, the app triggers an in-app purchase, which is then authenticated via TouchID and completed before the user even realizes what is happening.
Welivesecurity blog uncovered two examples of this tactic, one called “Calories Tracker app” and one called “Fitness Balance.” Both apps have since been removed by from the App Store by Apple, but you can see it in action in the video below. Apple didn‘t immediately respond to a request for comment.
Shady though they are, it appears that these developers‘ tactics were extraordinarily successful. “Calories Tracker app,” pulled in $60,000 in November while “Fitness Balance” made $10,000, according to data from app analytics firm Sensor Tower.
The incident also raises the questions about Apple‘s ability to detect scams in the first place.
Though Apple‘s App Store has a reputation for being safer than other app stores, this isn‘t the first time shady developers have been allowed to get their apps into the store. Last year, a number of barely-functional apps were removed for into paying for exorbitantly-priced subscriptions.
One such app, which also took advantage of the App Store‘s search ads, was charging $99.99 weekly for a worthless VPN service. The app was pulling in $80,000 a month before it was eventually removed.
var snp_f = ; var snp_hostname = new RegExp(location.host); var snp_http = new RegExp("^(http|https)://", "i"); var snp_cookie_prefix = ''; var snp_separate_cookies = false; var snp_ajax_url = 'https://prestonbusinessreview.com/wp-admin/admin-ajax.php'; var snp_ajax_nonce = '19e7d3a1f0'; var snp_ajax_ping_time = 1000; var snp_ignore_cookies = false; var snp_enable_analytics_events = false; var snp_is_mobile = false; var snp_enable_mobile = true; var snp_use_in_all = false; var snp_excluded_urls = ;