Scam iPhone App Exploited Misunderstanding of Touch ID, Biometrics

“…the app would dim the screen, obscuring a purchase interface asking the user to confirm an in-app transaction of $89.99, with a bright red fingerprint icon distracting the user’s attention.”

An ostensibly health-related app for the iPhone was designed to use Touch ID to scam users out of almost $100.

As 9to5Mac reports, the straightforwardly named ‘Heart Rate Measurement’ app prompted users to touch the iPhone’s fingerprint sensor in order to have their heart rate measured. During that process, the app would dim the screen, obscuring a purchase interface asking the user to confirm an in-app transaction of $89.99, with a bright red fingerprint icon distracting the user’s attention.

In other words, it’s a scam, and as such, it was removed from the App Store the same day that 9to5Mac’s story was published.

The scam relies on a certain amount of confusion over contemporary biometric technology. Apple’s Touch ID system uses fingerprint recognition for user authentication; and while it features liveness detection technology, it isn’t designed to track cardiac measurements the way a fitness band or an Apple Watch can.

9to5Mac points out that this scam did not have much success on the iPhone X and more recent iPhone devices, since they don’t have Touch ID and instead use facial recognition for user authentication. But in theory, using biometric authentication to trick users into accidentally approving in-app purchases could be even easier through Face ID, and it’s probably only a matter of time before a new scam app arrives that puts this approach into practice.

Source: 9to5Mac