Rogue heart rate app highlights flaws in Apple's closed-door review process
Today, multiple media outlets brought attention to a malicious "heart rate" scanning app that attempted to dupe wide-eyed shoppers into buying a $90 in-app purchase, which highlights that Apple still needs to do a lot more work on the app review process.
Scam heart rate app
The entire app is fraudulent and purports to read a users heart rate by having them place their finger on the Touch ID sensor. In actuality, after a second or so of random "heart rate" values flashing on the screen, the app dims the screen to its minimum brightness and invokes an in-app purchase for $89.99.
It is obvious this app should have never made it past the review process, not even looking at the substantial cost of the in-app purchase, considering that it is impossible for your iPhone to actually read your heart rate through the Touch ID sensor. The scam is even more obvious when used on a newer device that relies on Face ID.
When I ran the app on our iPhone XS Max -- which lacks Touch ID -- the app still claimed to show me my heart rate.
Others have hypothesized reasons the app may have "slipped through," and have absolved Apple of much of the blame -- but none of the reasons put forth much make sense. This is an app that attempted to deceive consumers at its face, intentionally, from the get-go. Despite patents suggesting that the technology is possible, reading heart rate on the Touch ID sensor isn't doable, trying to do so at a touch on a Face ID-equipped iPhone is even less possible, and the way the IAP is invoked is scary.
Once you start the "heart rate reading" process and the IAP is triggered, you have the option to hit cancel. But then, it is triggered again, and again, and again.
We force-closed the app, yet so many invocations of the in-app purchase dialog were sent they continued to pop up. Even more experienced users could potentially make the purchase while trying to close the app and shut off their phone.
The level of fraud here is mind-blowing enough that even a rookie app reviewer at Apple should have caught this -- assuming any eyes been laid on it. The basic premise is fake, the method of continuously triggering IAP is clearly a violation, and the outrageous price is clearly problematic.
This highlights, yet again, the problem with Apple's app review process. We are all in support of the review process, but for a clearly fraudulent app to slide through unquestioned raises serious doubts. The chance that this was a one-off circumstance that Apple overlooked and it happened to be a scam is quite unlikely and makes us question how thorough the process is as a whole.
Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
Scam heart rate app
The entire app is fraudulent and purports to read a users heart rate by having them place their finger on the Touch ID sensor. In actuality, after a second or so of random "heart rate" values flashing on the screen, the app dims the screen to its minimum brightness and invokes an in-app purchase for $89.99.
It is obvious this app should have never made it past the review process, not even looking at the substantial cost of the in-app purchase, considering that it is impossible for your iPhone to actually read your heart rate through the Touch ID sensor. The scam is even more obvious when used on a newer device that relies on Face ID.
When I ran the app on our iPhone XS Max -- which lacks Touch ID -- the app still claimed to show me my heart rate.
Others have hypothesized reasons the app may have "slipped through," and have absolved Apple of much of the blame -- but none of the reasons put forth much make sense. This is an app that attempted to deceive consumers at its face, intentionally, from the get-go. Despite patents suggesting that the technology is possible, reading heart rate on the Touch ID sensor isn't doable, trying to do so at a touch on a Face ID-equipped iPhone is even less possible, and the way the IAP is invoked is scary.
Once you start the "heart rate reading" process and the IAP is triggered, you have the option to hit cancel. But then, it is triggered again, and again, and again.
We force-closed the app, yet so many invocations of the in-app purchase dialog were sent they continued to pop up. Even more experienced users could potentially make the purchase while trying to close the app and shut off their phone.
The level of fraud here is mind-blowing enough that even a rookie app reviewer at Apple should have caught this -- assuming any eyes been laid on it. The basic premise is fake, the method of continuously triggering IAP is clearly a violation, and the outrageous price is clearly problematic.
This highlights, yet again, the problem with Apple's app review process. We are all in support of the review process, but for a clearly fraudulent app to slide through unquestioned raises serious doubts. The chance that this was a one-off circumstance that Apple overlooked and it happened to be a scam is quite unlikely and makes us question how thorough the process is as a whole.
Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
Comments
https://itunes.apple.com/us/app/heart-bpm-monitor/id1395837045?mt=8
These guys want $129.99 for this one. Could be a typo...
If Apple honors refund requests and quickly eradicates the app, that helps. It would obviously be best if this type of thing never got on the store. Sad to say that it only takes a few cracks in the walled garden to make it much less appealing. I prefer the walled garden though, it's generally much more peaceful.
I don't buy that argument and didn't want to call out the original source that put that out there. Like you say, even if the purchase price was a buck, there are so many other red flags. If anyone had looked at this for three seconds they'd have noticed scam this is. To me, the price of the IAP is irrelevant. It is the fact something like this made it through at all, even if it was free.
Like free apps with in-app purchases that present as supporting Family Sharing. We checked to make sure the app Infinite Flight supported Family Sharing before paying over $100 for an in-app purchase for our grandson. When we tried to activate the unlocked features on another device, it didn't work. When we contacted the developer we were told the app itself is shareable, but NOT the in-app purchase. What the hell is the point of Family Sharing for a FREE app? The part that matters is the PAID part! There's nothing in the existing App Store structure that lets a buyer know that in advance.
Words With Friends does the same thing.
The "Family Sharing" designation in the App Store seems to be meaningless.
If thats the case that they cheated the review process then expect the app to be pulled and the developer suspended.
If that murder occurred within an environment that explicitly makes access less convenient because it's supposed to be a safe place, it's reasonable to be miffed that someone was able to get a weapon inside.
I completely agree, but the walled garden has to work, or Apple may find it a struggle to justify it, especially in front of the freedom-to-steal mob.
EDIT: It took me a minute to realize it (I just woke up) but I'm wrong. There's no reason opening up the iOS app market to sources outside the app store would absolve Apple of responsibility for apps sold through it's own storefront. It would only affect those who choose to buy from outside sources. Those who choose to continue buying apps only from Apple's store would still have recourse.