Pixel Envy

Written by Nick Heer.

Abuses of canOpenURL to Be Blocked in iOS 9

Interesting post from Greg Pierce:

There are two URL-related methods available to apps on iOS that are effected: canOpenURL and openURL. These are not new methods and the methods themselves are not changing. As you might expect from the names, “canOpenURL” returns a yes or no answer after checking if there is any apps installed on the device that know how to handle a given URL. “openURL” is used to actually launch the URL, which will typically leave the app and open the URL in another app.

Up until iOS 9, apps have been able to call these methods on any arbitrary URLs. Starting on iOS 9, apps will have to declare what URL schemes they would like to be able to check for and open in the configuration files of the app as it is submitted to Apple. This is essentially a whitelist that can only be changed or added to by submitting an update to Apple. It appears that certain common URLs handled by system apps, like “http”, “https”, do not need to be explicitly whitelisted.

Didn’t catch that? Many apps use custom URL schemes. Right now, apps can randomly poll iOS using a huge list of canOpenURL scheme queries, and iOS will basically return a list of apps on the system that support those URL schemes. Since many schemes are very particular (like workflow:// for Workflow, uh, workflows), this is basically a list of apps on a user’s iOS device, which is kind of creepy.

But Twitter figured this out, and today, they announced they’re amping up the creepy. Kurt Wagner, Recode:

Twitter announced on Wednesday that its advertisers can use that app information to target users with ads. Marketers will be able to see the different categories of apps you have downloaded onto your phone as well as how recently you downloaded them in order to understand what you’re interested in.

This is opt-out, by the way, so turn off “Tailor Twitter based on my apps” under Settings. Better still, turn off all tailoring while you’re there — Twitter has demonstrated that they have little regard for your privacy. On the bright side, it seems like this kind of app-based targeting will only be possible for the next few months.