Fitness-tracking apps caught misusing Touch ID to steal money from iPhone users

Apple gives dodgy apps the finger.

Graham Cluley
Graham Cluley
@[email protected]

Fitness-tracking apps caught misusing TouchID to steal money from iPhone users

Reddit users have shined a spotlight on an underhand user interface trick used by certain iOS fitness apps to trick iPhone owners into approving unwanted in-app payments with Touch ID.

As researchers at ESET describe in a blog post, iOS apps called “Fitness Balance” and “Calories Tracker” claim to put you on the course to fitness, by helping you calculate your BMI, remind you to drink water more often, and track your calorie intake.

However, the true aim of the apps appears to be to trick unsuspecting users into approving payments of over US $100.

Sign up to our free newsletter.
Security news, advice, and tips.

Upon start-up of the apps, users are requested to scan their fingerprint in order to “view their personalized calorie tracker and diet recommendations.”

Touchid scam 1

However, quick as a flash the app pops-up an in-app payment dialog asking for you to approve a payment of US $99, US $119.99, €139.99.

Which means – of course – that if your finger is still touching the fingerprint scanner – you’ve probably just approved the payment. Ouch! It’s not your body that’s losing weight, it’s your wallet.

Touchid scam 2

Both “Fitness Balance app” and “Calories Tracker app” have now been removed from the App Store, but questions should be asked as to how Apple’s vetted app store allowed these dodgy apps into their marketplace in the first place.

My guess is that if two apps have tried this scam, there may be others attempting it too.

One defence is to not have a credit or debit card directly connected to your Apple account, but frankly – you’re likely to find that more of a nuisance than it’s worth.

So, if you feel you have been sneakily tricked into making an in-app purchase your best bet may be to complain to Apple and request a refund.

For more discussion on this issue be sure to check out this episode of the “Smashing Security” podcast:

Smashing Security #107: 'Sextorting the US army, and a Touch ID scam'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.