Fitness-tracking apps caught misusing Touch ID to steal money from iPhone users

Apple gives dodgy apps the finger.

Graham cluley
Graham Cluley
@
@[email protected]
@gcluley

Fitness-tracking apps caught misusing TouchID to steal money from iPhone users

Reddit users have shined a spotlight on an underhand user interface trick used by certain iOS fitness apps to trick iPhone owners into approving unwanted in-app payments with Touch ID.

As researchers at ESET describe in a blog post, iOS apps called “Fitness Balance” and “Calories Tracker” claim to put you on the course to fitness, by helping you calculate your BMI, remind you to drink water more often, and track your calorie intake.

However, the true aim of the apps appears to be to trick unsuspecting users into approving payments of over US $100.

Sign up to our free newsletter.
Security news, advice, and tips.

Upon start-up of the apps, users are requested to scan their fingerprint in order to “view their personalized calorie tracker and diet recommendations.”

Touchid scam 1

However, quick as a flash the app pops-up an in-app payment dialog asking for you to approve a payment of US $99, US $119.99, €139.99.

Which means – of course – that if your finger is still touching the fingerprint scanner – you’ve probably just approved the payment. Ouch! It’s not your body that’s losing weight, it’s your wallet.

Touchid scam 2

Both “Fitness Balance app” and “Calories Tracker app” have now been removed from the App Store, but questions should be asked as to how Apple’s vetted app store allowed these dodgy apps into their marketplace in the first place.

My guess is that if two apps have tried this scam, there may be others attempting it too.

One defence is to not have a credit or debit card directly connected to your Apple account, but frankly – you’re likely to find that more of a nuisance than it’s worth.

So, if you feel you have been sneakily tricked into making an in-app purchase your best bet may be to complain to Apple and request a refund.

For more discussion on this issue be sure to check out this episode of the “Smashing Security” podcast:

Smashing Security #107: 'Sextorting the US army, and a Touch ID scam'

Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.