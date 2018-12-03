Two iOS apps have been fingered by customers for a particularly devious hack that has conned users out of money through Touch ID. They promised to use a fingerprint scan for fitness data before slapping users with a charge − well in excess of €100 in some cases.

The two apps, Fitness Balance and Calories Tracker, both use a similar trick to rip customers off (via WeLiveSecurity). The first stage of the trick is to ask users to lay their fingers down on their Touch ID scanner for 10 seconds, in order to access some fitness insights.

Once a finger is on the sensor, they pop up an in-app purchase request for a large sum of money. Because the user’s fingerprint is already on the sensor, Touch ID will read that as authorisation.

Very naughty indeed.

While it’s definitely malicious, in reality this isn’t an exploit as much as a clever UI hack on the part of the developer that takes advantage of a lot of the work Apple has put into Touch ID to make it as unobtrusive as possible.

It’s unclear how this can be fixed. Both of the apps in question have been canned from the App Store.

We spoke to Harry Slater, the deputy editor of mobile gaming site Pocket Gamer, who claims that in this case the cheats are unlikely to prosper: “Apple pays royalties to apps on a monthly basis, so it’s unlikely a scam of this sort is actually going to work. If the money has gone out of people’s accounts, then there might be some faff getting it back, but the App Store pays 45 days after the last work day of the month when the purchase was made, so depending on when the apps were caught money probably hasn’t actually changed hands yet.

“These are the sort of scams we’re going to see more of as our mobile devices get more secure − using something we take for granted in a way we don’t expect. Apple could extend the length of time a Touch ID payment flashes up, but then things are going to take slightly longer for legitimate payments. Better vetting policies for apps that use Touch ID is probably a better approach.

“From a personal point of view it’s about being vigilant, and making sure you know as much as you can about the apps that you’re giving your info to.”

