Lysa Myers, Security Researcher at ESET, outlines the growing threat from deceptive practices to scam both iOS and Android users alike, offering advice on how users can safeguard themselves from such threats.
There’s nothing new about advertisers and app developers using deceptive practices, but the Touch ID scam that Lukáš Štefanko wrote about recently is a significant twist in this ongoing story. Of course, iOS users are not alone in facing these dilemmas; as Lukáš wrote earlier this year, Android users are experiencing their own flood of predatory app tactics too.
What can we do to protect ourselves against these fraudulent practices?
Be aware of the limitations of app store review processes
The policies and review procedures of major app stores do keep out a large number of fraudulent apps. While there are always more things they might and probably should be doing to continue to improve this problem, it is an ongoing learning process for all of us.
Due to the incredibly large total number of apps and updates that each major app store sees every day, much of the work involved in the review of new submissions is automated. This means that each app likely has functionality that will not necessarily be seen by a human or be tested specifically. Even very well-known and more-or-less legitimate app vendors have been caught doing things to try to evade having certain functionality reviewed. This means it’s still crucial to do our own due diligence.
While most scam apps do in fact include numerous positive reviews, these often show signs of phoniness. Wording may be very vague, downright nonsensical or exhibit repetitive patterns (including different reviews repeating the same phrases or having similar usernames, for example). It’s a good idea to re-order the ranking options on reviews to see a more balanced picture: depending on the particular app store, you can sort the reviews to see those that have been deemed ‘most helpful’ or that are ranked ‘most critical’ first.
The best time to figure out whether an app is a scam is before you download it. While it may be hard to calm the fear of missing out, it’s best to wait a few days or weeks before downloading brand new apps, to let other people be the ‘guinea pigs’. This way you can read what other people have to say about the app’s functionality before making a decision.
Use apps by developers you know and trust
If at all possible, it’s a good idea to stick with reputable app developers. If you’re new to a platform, that may be easier said than done. In that case, it’s a good idea to do a little more research first, to get a better sense of whether a particular developer already has other well-reviewed and popular apps that are currently available for download.
Be aware of valid functionality
While it can be hard to keep up with the complete picture of what each new device can do, it’s a good idea to be at least somewhat aware of the functionality of your device. For example: fingerprint data is not accessible to apps, only a ‘yes’ or ‘no’ verdict about whether your fingerprint matches the one previous stored on your device. This is to say that apps cannot use a scan of your finger to give advice on calorie data, nutrition information, how much water you should drink, or to present ancestry analysis. (It’s worth noting that you couldn’t really get valid information on any of those things from a scan of your finger even if the app could access those data.)
If your phone has existing functionality like a QR reader or a flashlight app, it might not be a good idea to install an app that does that exact same thing, especially as many of these apps have a history of being problematic. If you’re looking to specifically try a different app than one your phone already has – like a mail reader or an Internet browser – be sure to read some third party reviews first to see which options are well-reviewed and popular.
There are a variety of things you can look at to find information that might indicate a predatory app. Do the developers have other apps available already and are they reviewed well? Do they have a website that appears professional, including contact information? What results are returned if you do an Internet search for the name of the app or developer plus the word ‘scam’?
Can you find more information on third-party sources regarding subscription rates or in-app purchase prices? (Apple may offer information about the latter within the app description.) Does the app purport to give you a free or discount version of more expensive for-fee app? (These scams often cost more than just money.)
Request a refund and report bad actors
If you’ve gotten as far as having already downloaded an app that turned out to be a scam, ask the app store or the bank attached to your payment card to refund the charge. If the purchase was in the form of a subscription, this may be more complicated but it will soon become worth your time and effort to have gone through the entire process. You can also report fraudulent apps to the app stores themselves, as well as contributing reviews that describe your experience.
It’s time to push back against ‘dark patterns’
Many of us already vote with our wallets when it comes to sub-optimal software behaviour, by choosing not to purchase or support companies that fail to consider privacy or security, or that behave in ways that we consider too predatory or problematic. But there is another area that more people should be aware of, that describes a more understated category of sketchy behaviour.
‘Dark patterns’ describe the scenario where a user interface is designed to intentionally trick or emotionally manipulate you into clicking where otherwise you might not. In the case of the Fitness Balance app, it takes advantage of the fact that the Home button on some iPhones or iPads can serve two purposes: your finger is already resting on a (fingerprint) sensor in a way that can also be used to select an option on the screen. Newer versions of the iPhone require you to make two distinct actions for these things; you must take your finger off the sensor for a moment after a fingerprint scan, before it can be used to select an option.
Some dark patterns are much less obvious, because they take advantage of expectations that we may not be consciously aware that we have, or because they cause us to be more inattentive.
Here are a few examples of scenarios in user interfaces that predatory app makers may try to manipulate:
- we expect an ‘accept’ option to be the bigger or more obvious one
- we may rush decisions if we’re overwhelmed or frustrated
- we may be less cautious of what’s on our screen if we’re trying to brush away detritus
- in many cultures, we expect red to mean ‘stop’ and green to mean ‘go’
- we expect a ‘close’ button to appear in certain predictable locations
- buttons may be labelled in ways that makes their meaning unclear
In cases where emotional manipulation is in play, there may be a confirmation dialogue that tries to guilt-trip or scare you into changing a selection. This is where things can get a little nebulous: when is it a legitimate warning, rather than unnecessary fear-mongering? This can be something of a value judgement, which is subject to our own interpretation. Whatever you decide, you can let software vendors know that you value a clear and predictable user experience that does not rely on fear, uncertainty and doubt.