This app was in the news in some countries especially Portugal and has since been removed but serves as a good reminder for everyone to be careful when purchasing apps and digital products.
Despite Apple’s strict review process for software distributed through the App Store, it’s still possible for malicious actors to take advantage of loop holes in the system to scam customers.
The latest example is a rather sophisticated and devious trick used by an app that claims to read your heart rate through your fingertip using Touch ID. In reality, the app (which is currently on the App Store) uses your fingerprint to authorize a transaction for $89.99 while dramatically dimming the screen to fool you.
The con is less effective on iPhones and iPads with Face ID (iPhone X and later and iPad Pro 2018), but iOS devices with Touch ID are still likely the majority of devices in use today.
Using a third-party app from the App Store to read your heart rate from the iPhone or iPad isn’t uncommon either. Apps like Instant Heart Rate: HR Monitor have long used the camera and flash to attempt to take heart rate measurements through the finger.
In the case of the ‘Heart Rate Measurement’ app currently on the App Store, the scam relies on a user not reading the dialog box that appears when a heart rate reading is attempted. The screen brightness drops to its lowest point and the black and white in-app purchase user interface is almost illegible compared to the bright red fingerprint icon that appears on-screen with Touch ID devices.
While the app clearly violates App Store policy for misleading customers with ridiculous in-app purchases unrelated to the app’s function, it’s possible that the trick used by the app was added after Apple’s app review process.
Apple requires approval for in-app purchases during app review, but not for changing the amount (from 99¢ to $89.99, for example). The malicious app may also be flying under the radar as it largely targets Portuguese speaking customers, but does support English as well.
Apple can rely on user reports and press coverage to find bad actors like this scam app, but a post-approval review process for changes like in-app purchase adjustments may also be necessary. That’s unfortunate for developers as it adds yet another step between making business changes and reaching customers.
Apple could also add a Report Suspicious Apps action button to the App Store page to make it easier to report malicious apps.