If you have an iPhone, you’re likely familiar with its biometric security. Up until the release of the iPhone X, Touch ID was an option, which uses a digital copy of your fingerprint to unlock the phone and make purchases instead of typing in a password. While Apple has replaced Touch ID with Face ID in their X series, there are a lot of folks—including me—who have a phone with Touch ID.
It’s fast, convenient and usually thought to be more secure than the 4- or 6-digit passcode most people use with their iPhones. That is until last week when a rogue app reappeared in the App Store that exploited Touch ID.
While Apple is known for rigorous screening of apps before approving them to be listed in the App Store, its track record isn’t perfect. 9to5Mac reported a scam heart rate app that tricked users into paying $89 returned to the App Store under a new name, eight months after Apple removed the original version.
Pulse Heartbeat, formerly Heart Rate Measurement, asks users to place their finger on the Home button to supposedly take a heartbeat reading. In reality, the app dims the display brightness as low as possible to hide a purchase alert for $89. If you put your finger on the button, you may get the heartbeat reading, but the payment card associated with your Apple account will also be charged that hefty fee.
The heart rate monitor app is not the only malicious app on the market. You may think that if you stay away from apps with adult content, you’ll be safe. Unfortunately, that’s not true. Other categories including photo and video editors, games and wallpapers are also common targets for cybercriminals. So how can you tell the good from the bad?
First of all, only purchase apps from the App Store or Google Play. Third party stores or other sources carry a much higher risk for malicious apps and should always be avoided. If you are unfamiliar with an app, do your homework before downloading it from Apple or Google. Within the app listing, there are several red flags associated with malicious apps and they are easy to spot.
Check the number of ratings. You’ll find it next to the average star review figure as you scroll through the app listings. A legitimate app should have thousands of ratings; major apps like Instagram and Google Maps have millions. Read the app description. Like with email phishing scams, suspicious apps may contain typos and poor grammar. Read the reviews. Legitimate apps will have a mix of good and bad reviews. If they are all 5-stars and filled with glowing descriptions, they may be fake. Unscrupulous developers often pay for good reviews. Check what other products the developer has produced and assess those as well. If the one under consideration is the developer’s only offering, it’s best to skip it.
Don’t rely only on the listing. Run a Google search to uncover possible scams. You can use the name of the app along with the word scam.
Finally, pay close attention to the permissions an app requires or requests. You’re looking for permission requests that don’t match up with the app’s stated purpose. For instance, a map app needs your location to provide real-time directions, but a photo filter app does not. If you find a mismatch, do more research to learn why the permission may be useful because it may not be obvious. Facebook Messenger asks for access to your phone’s microphone not to listen in on your conversations, but to allow a user to record video or a voice message. If you are unable to find a satisfactory explanation, don’t download that app.