Rogue heart rate app highlights flaws in Apple's closed-door review process

Posted:
in General Discussion edited November 2018
Today, multiple media outlets brought attention to a malicious "heart rate" scanning app that attempted to dupe wide-eyed shoppers into buying a $90 in-app purchase, which highlights that Apple still needs to do a lot more work on the app review process.

heart Rate scam
Scam heart rate app


The entire app is fraudulent and purports to read a users heart rate by having them place their finger on the Touch ID sensor. In actuality, after a second or so of random "heart rate" values flashing on the screen, the app dims the screen to its minimum brightness and invokes an in-app purchase for $89.99.

It is obvious this app should have never made it past the review process, not even looking at the substantial cost of the in-app purchase, considering that it is impossible for your iPhone to actually read your heart rate through the Touch ID sensor. The scam is even more obvious when used on a newer device that relies on Face ID.

When I ran the app on our iPhone XS Max -- which lacks Touch ID -- the app still claimed to show me my heart rate.

Others have hypothesized reasons the app may have "slipped through," and have absolved Apple of much of the blame -- but none of the reasons put forth much make sense. This is an app that attempted to deceive consumers at its face, intentionally, from the get-go. Despite patents suggesting that the technology is possible, reading heart rate on the Touch ID sensor isn't doable, trying to do so at a touch on a Face ID-equipped iPhone is even less possible, and the way the IAP is invoked is scary.

Once you start the "heart rate reading" process and the IAP is triggered, you have the option to hit cancel. But then, it is triggered again, and again, and again.

We force-closed the app, yet so many invocations of the in-app purchase dialog were sent they continued to pop up. Even more experienced users could potentially make the purchase while trying to close the app and shut off their phone.

The level of fraud here is mind-blowing enough that even a rookie app reviewer at Apple should have caught this -- assuming any eyes been laid on it. The basic premise is fake, the method of continuously triggering IAP is clearly a violation, and the outrageous price is clearly problematic.

This highlights, yet again, the problem with Apple's app review process. We are all in support of the review process, but for a clearly fraudulent app to slide through unquestioned raises serious doubts. The chance that this was a one-off circumstance that Apple overlooked and it happened to be a scam is quite unlikely and makes us question how thorough the process is as a whole.

Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
«1

Comments

  • Reply 1 of 30
    Here’s a good blog post that ties into this. http://davidbarnard.com/post/180568817995/how-to-game-the-app-store According to Rene Ritchie not all of the App Store is under Phil Schiller. Maybe that’s part of the problem if the App Store is scattered amongst multiple execs.
    dedgecko
  • Reply 2 of 30
    I have to give credit to the inventiveness of whoever thought of that way of scamming people. 
  • Reply 3 of 30
    Heart BPM Monitor by Winfy Software LLP
    https://itunes.apple.com/us/app/heart-bpm-monitor/id1395837045?mt=8

    These guys want $129.99 for this one. Could be a typo...
  • Reply 4 of 30
    maestro64maestro64 Posts: 4,564member
    I have to give credit to the inventiveness of whoever thought of that way of scamming people. 
    Yes, and that why the saying buyer beware still holds true, but we live in a society which people do not want to be responsible for their own actions.
  • Reply 5 of 30
    I believe the old App Store policies which required much more time would have caught this. Apple received quite a bit of torture from app developers over long delays and strict policies that they relented a few years back and streamlined the process allowing for more automation. This was a huge mistake obviously. 
    dedgeckorob53n2itivguymacpluspluswatto_cobra
  • Reply 6 of 30
    The Apple reviewers can be totally nitpicky bastards too -- guess this app got a slacker.
    kozchrisforgot usernamewatto_cobra
  • Reply 7 of 30
    genovelle said:
    I believe the old App Store policies which required much more time would have caught this. Apple received quite a bit of torture from app developers over long delays and strict policies that they relented a few years back and streamlined the process allowing for more automation. This was a huge mistake obviously. 
    Problem is that humans are good at doing unscripted testing....IF that particular individual doing it is good at it, and IF he wants to do that properly. So, the issue is  - consistency of results, then. The automated testing does not suffer that problem, but because it is dumb, it will be terrible at catching things similar to the one mentioned in the article.
    edited November 2018 dewmewatto_cobra
  • Reply 8 of 30
    I am not looking forward to what will happen if Apple loses the Supreme Court case Re: App Store Antitrust.

    I like that fact that the App store is not the wild west and full of scams like the other stores on other platforms.
    T.j.p.racerhomie3entropyswatto_cobrajony0
  • Reply 9 of 30
    lkrupplkrupp Posts: 7,072member
    And this is from inside the Walled Garden. Think what will happen if you can install anything you want from Uncle Abdul’s iOS App Store.com. Yeah, we want that anti-trust lawsuit to force this on iOS users. We want choice without consequences don’t we.
    Rayz2016watto_cobrajony0
  • Reply 10 of 30
    This is especially egregious, but one interesting tidbit is that you can change the amounts of in-app purchases _after_ approval, AFIAK. That doesn't excuse other issues in this app, but that part of it may have shown $1 when the app reviewer was checking it out.

    If Apple honors refund requests and quickly eradicates the app, that helps. It would obviously be best if this type of thing never got on the store. Sad to say that it only takes a few cracks in the walled garden to make it much less appealing. I prefer the walled garden though, it's generally much more peaceful. :)
    forgot usernamewatto_cobra
  • Reply 11 of 30
    Andrew_OSUAndrew_OSU Posts: 243member, editor
    This is especially egregious, but one interesting tidbit is that you can change the amounts of in-app purchases _after_ approval, AFIAK. That doesn't excuse other issues in this app, but that part of it may have shown $1 when the app reviewer was checking it out.

    If Apple honors refund requests and quickly eradicates the app, that helps. It would obviously be best if this type of thing never got on the store. Sad to say that it only takes a few cracks in the walled garden to make it much less appealing. I prefer the walled garden though, it's generally much more peaceful. :)
    That logic is what I referred to here: "Others have hypothesized reasons the app may have "slipped through," and have absolved Apple of much of the blame."

    I don't buy that argument and didn't want to call out the original source that put that out there. Like you say, even if the purchase price was a buck, there are so many other red flags. If anyone had looked at this for three seconds they'd have noticed scam this is. To me, the price of the IAP is irrelevant. It is the fact something like this made it through at all, even if it was free.
    watto_cobra
  • Reply 12 of 30
    It's not even just the scams that are eroding my trust. The system in its current form allows for misleading consumers.

    Like free apps with in-app purchases that present as supporting Family Sharing. We checked to make sure the app Infinite Flight supported Family Sharing before paying over $100 for an in-app purchase for our grandson. When we tried to activate the unlocked features on another device, it didn't work. When we contacted the developer we were told the app itself is shareable, but NOT the in-app purchase. What the hell is the point of Family Sharing for a FREE app? The part that matters is the PAID part! There's nothing in the existing App Store structure that lets a buyer know that in advance.

    Words With Friends does the same thing.

    The "Family Sharing" designation in the App Store seems to be meaningless.
    gatorguypalomineforgot username
  • Reply 13 of 30
    It's possible that what the reviewer saw and what users are seeing is very different. The developer could have the app contacting a server to see if it's passed review then it shows the misleading version of the app. It's kinda like the Car company's cheating the inspections for emissions, during testing they did things to pass but one in consumers hands they operated differently to what regulators tested.

    If thats the case that they cheated the review process then expect the app to be pulled and the developer suspended.
    anton zuykovwatto_cobra
  • Reply 14 of 30
    cpsrocpsro Posts: 2,460member
    Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
    Apple certainly can praise the security, as I do. Yes, it's awful that this app made it into the App Store--and how it did so needs to be discovered and corrected--but the app is gone now. GONE.
    watto_cobra
  • Reply 15 of 30
    This could have been time delayed. The reviewer may never have had a chance to see this.
  • Reply 16 of 30
    cpsro said:
    Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
    Apple certainly can praise the security, as I do. Yes, it's awful that this app made it into the App Store--and how it did so needs to be discovered and corrected--but the app is gone now. GONE.
    If a murdered is caught and put in jail, the murderer is gone now. GONE. But there's still the nagging issue of the victim...

    If that murder occurred within an environment that explicitly makes access less convenient because it's supposed to be a safe place, it's reasonable to be miffed that someone was able to get a weapon inside.
    osmartormenajrdewmeforgot usernamemuthuk_vanalingam
  • Reply 17 of 30
    dewmedewme Posts: 2,062member
    This is a seriously hard fail for Apple's testers. As others have said, if Apple loses control over the App Store any hopes of being reimbursed for fraudulent purchases from scam apps will be all the more difficult. 
    forgot username
  • Reply 18 of 30
    Rayz2016Rayz2016 Posts: 4,593member
    cpsro said:
    Apple can't praise the security of its walled garden while not even looking at apps that make it on the App Store. This app is currently still alive on the App Store, though we expect it to be promptly removed.
    Apple certainly can praise the security, as I do. Yes, it's awful that this app made it into the App Store--and how it did so needs to be discovered and corrected--but the app is gone now. GONE.
    I get that it's gone, but the point is that it shouldn't have gotten to the store in the first place.


    muthuk_vanalingam
  • Reply 19 of 30
    Rayz2016Rayz2016 Posts: 4,593member
    lkrupp said:
    And this is from inside the Walled Garden. Think what will happen if you can install anything you want from Uncle Abdul’s iOS App Store.com. Yeah, we want that anti-trust lawsuit to force this on iOS users. We want choice without consequences don’t we.

    I completely agree, but the walled garden has to work, or Apple may find it a struggle to justify it, especially in front of the freedom-to-steal mob.

    forgot username
  • Reply 20 of 30
    dewme said:
    This is a seriously hard fail for Apple's testers. As others have said, if Apple loses control over the App Store any hopes of being reimbursed for fraudulent purchases from scam apps will be all the more difficult. 
    That's an interesting point. Arguments of anti-competitive behaviour are sometimes levelled against Apple, which Apple counters with a "safety for users" defence. If it can be shown that Apple isn't living up to that claim, it may be forced to take down the garden wall. Right now that wall may not be keeping out all the snakes, but at least it's providing users with some recourse when they're bitten. Once the wall is gone, so is that path to recompense.


    EDIT: It took me a minute to realize it (I just woke up) but I'm wrong. There's no reason opening up the iOS app market to sources outside the app store would absolve Apple of responsibility for apps sold through it's own storefront. It would only affect those who choose to buy from outside sources. Those who choose to continue buying apps only from Apple's store would still have recourse.
    edited December 2018
Sign In or Register to comment.