It’s great when an app allows you to add extra security — a fingerprint scan or a depth map of your face, for example — to access its contents. In case someone ever gets their hands on your unlocked device (or figures out your PIN), it’ll be trickier for them to access critical apps, like your banking apps, if they don’t have your finger or face nearby.
What’s not so great is when scammy apps attempt to use your device’s security features to rip you off. And that’s exactly what’s been happening in some iOS apps lately, as Engadget recently reported. (Android, too, we presume, since no platform is immune to those looking to make a quick buck by taking advantage of gullible users.)
How the fingerprint-scanning scam works
Let’s take a look at the “Fitness Balance” app for iOS, which has since been pulled from the App Store. The app would pop up a screen that asks you to “scan your fingerprint to view personal calories tracker and diet.” A little countdown timer would start, too, for no reason whatsoever.
.@AppleSupport this app called Fitness Balance is trying to scam people out of $100+ dollars by tricking them into purchasing their in-app purchases. It is unacceptable this app managed to get on your App Store. pic.twitter.com/I68vwQoG86
— Jacques Fourie (@Jac4e) November 29, 2018
A tiny alarm should be going off in your head, because this request sounds awfully suspicious (and grammatically incorrect—another sign that this “feature” might not be all that helpful). The request itself isn’t a standard system prompt, which is red flag number two. And that countdown timer? That’s probably not something you’ve ever encountered when asked to authenticate yourself using your fingerprint or face.
Click on the embedded video above, and you’ll see exactly how the scam works. As your fingerprint is “scanned,” the app pops up a payment window for an in-app purchase. Since you’re already holding your finger to your smartphone’s reader, you’ll approve the purchase — a mere $165. Yikes.
How to stay safe against annoying app scams
There will always be some kind of new scam for you to worry about. However, there are a few general tips you should consider when using a new app to better protect yourself against unsavoury developers who are looking to make a quick buck.
If it looks or feels weird, don’t do it
If you’ve been using your smartphone for a reasonable amount of time, you should be used to the standard conventions: How you pay for apps or in-app purchases, what the prompts look like when you’re using your device’s fingerprint or face-recognition features, when or where apps (or your OS) ask you to use your finger or face to log into something, etc.
If an app suggests a procedure that seems a bit off—like holding your finger down on your smartphone’s fingerprint sensor for an extended period of time, when that’s normally just a quick press—you should tread carefully. The same is true if an app wants you to keep pressing your finger down in different ways to “register” your fingerprint, even if you’ve already done that within Android or iOS, or if the app isn’t using system prompts when asking you to authenticate.
Read. The. Reviews.
Whenever you’re looking for new apps to try out, always read the reviews. And don’t just read the reviews—think about what they’re saying. If an app has 15 five-star reviews that all look pretty generic or, worse, sound a bit spammy, odds are good they aren’t legitimate. That doesn’t mean you shouldn’t download the app, but you’ll want to keep your guard up to make sure you’re actually getting the experience the app promises. Watch out for bait-and-switches, overpriced subscriptions, or the aforementioned “suckered into buying a really expensive in-app purchase” issue.
In fact, you should be able to check an app’s in-app purchases on both the App Store and Google Play before you download it. If an app offers some outrageously expensive one-off purchase as IAP, and it’s not something that makes a lot sense—like paying a premium for extra content in a medical reference app, for example—you should be concerned.
Check your purchase history and ask for refunds for scams
It’s easy to see when you’ve made app or in-app purchases on iOS or Android. You should also receive emails at your account’s primary email address whenever you spend money. Pay attention to these—or make it a regular point to check your purchase history—to make sure you didn’t accidentally buy something you didn’t mean to.
If that happens, you can request a refund from Apple (via “Report a Problem” on any invoice) or Google (via your order history). Both companies should refund your purchases if you were obviously scammed into making them, so long as you explain your case. The sooner you can ask for a refund, the better, so make sure you’re getting those emails whenever you buy an app or some kind of in-app content.
Disable fingerprint or face authentication for purchases
If you really want to be safe, you can always elect to type in a long, cumbersome password instead of using your finger or face to authenticate purchases from the App Store or Google Play (or within apps you’ve downloaded). This will at least give you some extra time to confirm that you really want to buy what the app wants you to buy.
You can disable Face ID and Touch ID for purchases from their respective sections within your iOS Settings app. On Android, pull up the settings menu within Google Play and look for the “Fingerprint authentication” option.
Screenshot: David Murphy