Today, multiple media outlets brought attention to a malicious "heart rate" scanning app that attempted to dupe wide-eyed shoppers into buying a $90 in-app purchase, which highlights that Apple still needs to do a lot more work on the app review process.
The entire app is fraudulent and purports to read a users heart rate by having them place their finger on the Touch ID sensor. In actuality, after a second or so of random "heart rate" values flashing on the screen, the app dims the screen to its minimum brightness and invokes an in-app purchase for $89.99.
It is obvious this app should have never made it past the review process, not even looking at the substantial cost of the in-app purchase, considering that it is impossible for your iPhone to actually read your heart rate through the Touch ID sensor. The scam is even more obvious when used on a newer device that relies on Face ID.
When I ran the app on our iPhone XS Max — which lacks Touch ID — the app still claimed to show me my heart rate.
Others have hypothesized reasons the app may have "slipped through," and have absolved Apple of much of the blame — but none of the reasons put forth much make sense. This is an app that attempted to deceive consumers at its face, intentionally, from the get-go. Despite patents suggesting that the technology is possible, reading heart rate on the Touch ID sensor isn't doable, trying to do so at a touch on a Face ID-equipped iPhone is even less possible, and the way the IAP is invoked is scary.
Once you start the "heart rate reading" process and the IAP is triggered, you have the option to hit cancel. But then, it is triggered again, and again, and again.
We force-closed the app, yet so many invocations of the in-app purchase dialog were sent they continued to pop up. Even more experienced users could potentially make the purchase while trying to close the app and shut off their phone.
The level of fraud here is mind-blowing enough that even a rookie app reviewer at Apple should have caught this — assuming any eyes been laid on it. The basic premise is fake, the method of continuously triggering IAP is clearly a violation, and the outrageous price is clearly problematic.
This highlights, yet again, the problem with Apple's app review process. We are all in support of the review process, but for a clearly fraudulent app to slide through unquestioned raises serious doubts. The chance that this was a one-off circumstance that Apple overlooked and it happened to be a scam is quite unlikely and makes us question how thorough the process is as a whole.
Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
30 Comments
Here’s a good blog post that ties into this. http://davidbarnard.com/post/180568817995/how-to-game-the-app-store According to Rene Ritchie not all of the App Store is under Phil Schiller. Maybe that’s part of the problem if the App Store is scattered amongst multiple execs.
I have to give credit to the inventiveness of whoever thought of that way of scamming people.
Heart BPM Monitor by Winfy Software LLP
https://itunes.apple.com/us/app/heart-bpm-monitor/id1395837045?mt=8
These guys want $129.99 for this one. Could be a typo...
I believe the old App Store policies which required much more time would have caught this. Apple received quite a bit of torture from app developers over long delays and strict policies that they relented a few years back and streamlined the process allowing for more automation. This was a huge mistake obviously.