Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
IOS Software The Almighty Buck Apple Technology

Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120 (threatpost.com) 64

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

This discussion has been archived. No new comments can be posted.

Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120

Comments Filter:
  • by 140Mandak262Jamuna ( 970587 ) on Monday December 03, 2018 @10:02PM (#57744800) Journal
    Come on. Who writes these abstracts? Google Translate?
    • Come on. Who writes these abstracts? Google Translate?

      Come, your answer in broken music; for thy voice is music and thy English broken; therefore, queen of all, Katherine, break thy mind to me in broken English.

  • Apple's 30% Cut (Score:2, Insightful)

    As long as Apple got their 30% cut, they looked the other way.

  • Something seems off (Score:4, Interesting)

    by 93 Escort Wagon ( 326346 ) on Monday December 03, 2018 @10:35PM (#57744984)

    If it’s a regular App Store or Apple Pay transaction, the app doesn’t control the request for you to scan your fingerprint - so I don’t see how it can pop up “just for a second”.

    I think there’s some information possibly being withheld here.

    • Yes I wondered as well how it exactly happens.
    • by Anonymous Coward

      The app tells you to scan your thumb. I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button. The app starts a 10 second countdown once it sees your thumb is on the home button, and around three seconds in starts an Apple Pay transaction. Since your thumb is already on the home button, this will vanish as fast as Touch ID works, which is less than a second, then the payment is made while the countdown continues in the

      • I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button.

        iOS doesn't block apps from accessing TouchID. That would defeat its purpose.

        Many apps use TouchID for logging in (no more passwords to remember) or to process a transaction (e.g. using Starbucks app and TouchID to reload money to a gift card)

        • That’s not what I said. The app basically hands the request for a purchase off to iOS, then iOS tells the app whether the verification was successful or not. The app itself has no say in the duration of the window’s appearance - the transaction is managed by iOS.

      • by _merlin ( 160982 ) on Tuesday December 04, 2018 @12:40AM (#57745482) Homepage Journal

        Well the solution would be to provide some amount of guard band, like a "Please remove your finger and read this" prompt if you have a finger on the sensor before the message appears.

        • by Anonymous Coward

          Probably a good idea, like "Processing payment, please remove your finger and touch the sensor when instructed to do so" or similar. Granted, I can't fault Apple here and I'm about as anti-apple as can be. I would have never thought of that on my own.

          • by _merlin ( 160982 )

            You must have never worked with safety-critical equipment. This kind of interface design is common in robotics and heavy machinery.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday December 04, 2018 @04:17AM (#57745976)

      If itâ(TM)s a regular App Store or Apple Pay transaction, the app doesnâ(TM)t control the request for you to scan your fingerprint - so I donâ(TM)t see how it can pop up âoejust for a secondâ.

      I think thereâ(TM)s some information possibly being withheld here.

      I suspect the following is what happens:

      1) The app has somehow done something to put up a window on top of system notifications. Draws a "Use touch ID to log in" type message.
      2) The app then commands a in-app payment from the user. This pops up a dialog basically asking the user to confirm or deny the payment.
      3) Because of exploiting (1), the app drawn window obscures the message.
      4) iOS interprets the use of Touch ID as confirmation of the payment
      5) Because of something in the background (app store processing - it can hang the UI thread it seems), the app loses control of the top level window it's forcing, iOS draws the confirmation dialog so it appears
      6) When the app gets notification that the user paid, it removes the message as well.

      Step 5 happens, and sometimes when music is playing by the app, the music is paused, which seems to indicate while app store processing is done, either a thread or the entire app is suspended temporarily losing control of whatever it was doing.

      I would suspect somehow the app manages to draw over the App Store dialogs somehow - whether it's through a view bug or a Z-buffering bug or just doing something that somehow causes the window Z order to be incorrect briefly.

      Though I thought usually the dialog first asks for confirmation to which you must say yes or no before you can even authenticate the purchase next, so the app must trick you into tapping a particular part of the screen first...

      Though I wouldn't feel too bad for the people tricked - they can get a refund through Apple.

  • Comment removed based on user account deletion
    • by Anonymous Coward

      $120 is a pretty good deal for a semester in the school of hard knocks. Compare it a DUI that costs of $9000 (you're already thinking of DBZ, cuz you lost the game), and it's obvious this a better ROI with less risk to others.

      At that precise point in your sentence I was thinking that you're an alcoholic that believes everyone else is too. I'm not sure I really feel like the loser in this situation, and we haven't even discussed the apparent anime reference.

  • by rworne ( 538610 ) on Monday December 03, 2018 @11:52PM (#57745318) Homepage

    The iHeartRadio app pulls similar bullshit, just not as scammy.

    Shortly after bringing up the app, and around the time you select starting your feed, a near full-screen ad pops up asking if you want a subscription, with a cancel "X" in the top corner and a "Purchase button" on the bottom. Problem is, the whole ad surface is actually a purchase button unless you tap the small area with the "X". If you mess up and have FaceID or touch the home button, it immediately attempts a transaction.

  • Payment by Phone (Score:4, Insightful)

    by nukenerd ( 172703 ) on Tuesday December 04, 2018 @08:12AM (#57746510)

    With payment by phone, expect plenty more scams like this.

  • It's a simple cost of doing business for any consumer who wires their bank credentials into the cloud, and then runs random applet downloads in the same sandbox.

    So you put a wall-sized aquarium in your nursery with your newborn twins, and inside the aquarium you stock a giant python or cobra, and then you get yourself a riced-out 1 hp Roomba from Akihabara, just because, and then you download an experimental, indoor auto-mapping package for said Roomba from some applet pop-shop located in a dusty, foreign c

  • You can't even download a free app without a credit card registered.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...