In-App Purchasing Scams in the App Store

Apple’s App Store isn’t free from scams, either. John Koetsier, writing for Forbes:

I tried it myself, and the flow is very clear:

  1. Download the app
  2. Open it
  3. Click the big “Start” button (this has small, hard-to-read pricing information, but even though I was testing the app and forewarned, I missed it)
  4. Instantly be taken to an Apple payments confirmation screen: free for three days, and then $3.99/week in perpetuity.

The flow is smart and sneaky. It’s carefully designed to have you “agree” to the charges without having any intention of paying

“Users open the app and quickly tap a ‘Start’ button or ‘Continue’ button on the first page,” she told me via email. “Unfortunately this loads the Apple payment prompt instead of starting the free app as most users would expect. Users then panic and press the home screen to exit the app — unfortunately on fingerprint devices this makes payment or signs up for the free trial.”

Needless to say, $4/week for a very, very, very simple barcode-scanning device is completely ridiculous. $156/year borders on criminal.

Apple has since pulled most of these apps from the App Store, but how did they get there in the first place? I can see how a new app with a malicious IAP scam might slip through review, but once an app is generating tens of thousands of dollars a month, it ought to get a thorough review from the App Store.

The scam outlined above is admittedly pretty clever. I’d never really thought about it before, but the fact that the home button on Touch ID devices serves both as the “Yes I really do want to authorize this payment” verification and the “Get me out of this app and back to the home screen” escape hatch makes it ripe for abuse like this. Face ID doesn’t make X-class iPhones immune from scams, but the requirement that you double-click the side button to verify a payment means you can’t be tricked into doing it inadvertently.

Wednesday, 24 October 2018