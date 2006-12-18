from the fingered dept.
iOS apps used Touch ID feature to trick users into paying hefty fees
Apple's App Store has given the boot to two highly rated apps that abused the iOS Touch ID feature in an attempt to swindle users out of sums of more than $100, users on Reddit reported over the weekend.
The offending "Fitness Balance app" and "Calories Tracker app" promised to calculate body mass index, monitor calorie intake, and provide other health-related services. With no advanced warning, according to Reddit posts here and here, the apps charged users fees of $99.99, $119, or 139 Euros, depending on the country of the user. Users who had a credit or debit card connected to their Apple account were immediately billed.
The scam worked by displaying a message as soon as the app was opened. It told users to scan their fingerprint to view a calorie tracker or receive another personal service. When users complied, the apps displayed a popup window that said they had been charged a fee. Less than two seconds later, the popup disappeared, but by then it was too late for many users. Anyone with a card linked to their Apple account was already charged.
(Score: 3, Insightful) by fyngyrz on Friday December 07, @12:03AM
In-app purchases have always been a minefield of risk on multiple levels. As well as having made gaming and even serious apps into slow-squeeze-to-death-by-dollars mechanisms.
Don't like it. Not one bit.
But apparently this appeals to people because they don't understand what "free app" actually means. :(
(Score: 3, Interesting) by bob_super on Friday December 07, @12:07AM (2 children)
Given all the story of viruses, stray apps like these, and children clicking on popups in games without knowing it costs money, I just have never told any of my Android devices about my credit card. No payment set up, no accidental charges !
Turns out I never needed a paid-for app (ok, once, but the company got charged and sent an activation code), so it never restricted me.
(Score: 1) by IndigoFreak on Friday December 07, @12:15AM (1 child)
Even with the same precautions I have been worried. You can 'text' a phone number and get a charge on your phone bill. With all the app permission that are 'required' for even dumb flashlight apps, they easily can get outgoing SMS rights, and send text messages. I don't see anything that actually stops this from happening.
(Score: 2) by bob_super on Friday December 07, @12:28AM
Granular permissions on newer Android versions are supposed to prevent unwanted texting or internet access.
Actually, the Play store got worse and is now hiding the permissions under a sub-page, which means too many people will just no bother to check them (then will click OK on any popup asking anything without reading).
I also used Noroot Firewall for a while. Prevents basic access to the web from the apps by masquerading as a VPN. It's amazing how many things try to talk to the internet, yet if you don't let them it has no visible impact whatsoever on functionality.
(Score: 0) by Anonymous Coward on Friday December 07, @12:26AM (1 child)
Sure, have a charge(99.99) feature to prompt the user to authorize that payment, but what that prompt looks like and reads like should be entirely controlled by the OS without so much as a single pixel of the screen during the authorization process controlled by the dev, not even a name of what you're purchasing. That should all be dealt with before requesting payment.
(Score: 0) by Anonymous Coward on Friday December 07, @12:33AM
They didn't control the prompt, what happened is that the prompt only requires one's finger be scanned, and the apps tricked users into putting their finger in-place for scanning prior to prompting, so the prompt was blown right through before they had time to read it and remove their finger.
Damned silly design, but a more understandable mistake than what I assumed.