Touch ID provides ease of use for attackers wishing to fleece iPhone users.
A series of iOS applications were being used to fraudulently charge iPhone users using Touch ID. The apps which provided legitimate functionality, would ask the user to scan their fingerprint before completing a task. In many cases, with the application asking to collect health information, such as heart rate measurements, it seemed warranted to provide that identification. However, that was not the real reason behind collecting that scan.
When the user provided their fingerprint, the application would actually be using Touch ID for another of it’s abilities, that is to make a purchase. The apps would briefly pop up an in-app purchase, and then dim the screen so that it would not be seen. Users were charged anywhere from $90-$120.
This handful of reported apps have already been pulled from the app store, but not before collecting an unknown amount of victims. And as yet, it is unknown if there are other apps on the Apple app store that are carrying out the same attacks. It is also unknown if Apple will address this vulnerability. After all, Touch ID is being phased out since current and future devices will no longer have the fingerprint sensor, instead relying on Face ID. The fact that Apple has yet to comment on the issue shouldn’t provide much comfort to those on older generation devices.
After all, Apple’s business strategy is to push all users onto the most current device, and a vulnerable Touch ID may just provide another reason for users to do just that.