Problems with App Links
App Links is a cross-platform solution for mobile deep-linking. It gives you a set of tools that makes it easy to link to content in your app.
For example, if someone is in the Mailbox app on their phone and sees an email containing a link to Pinterest, it will direct them into the Pinterest board in the Pinterest app on their phone. If they don’t have Pinterest downloaded, it will present the person with the option to download the app from the App Store, or they can view the Pin on mobile web.
Note that there are other ways than App Links to do mobile deep linking and that the problems expressed below are only related to App Links itself.
Some privacy concerns arise when you start looking into how it’s designed to work when handling outbound links. This is especially true for apps that choose to use a metadata index rather than scraping and parsing the HTML themselves.
When you click a link that uses an index, it will first query the index to figure out what it should do next. You know, sharing the links you click with the index provider, albeit with limited information about who you are. Not only that, but the index provider’s crawler will also fetch the page that a user is trying to access to parse the metadata.
While the App Links site claims to be all about being open, it’s easy to imagine that Facebook wants as much control as possible over it. At the time of writing, Facebook is the only index provider listed.
Some providers may also provide access to a high-performance index of App Link metadata that you may choose to use in your own apps rather than scraping and parsing HTML yourself:
- Facebook App Link index – Provides access to Facebook’s index of App Link metadata for arbitrary URLs
Using App Links can also lead to some unexpected problems. What led me to writing this post is that we had to re-work how we allow our users to reset their passwords. Users of Mailbox could not reset their passwords because we used a link that expired on its first use. Since Mailbox uses App Links, the Facebook crawler would request the link before it was loaded in our user’s browser, effectively expiring the link.
Don’t get me wrong, I think there’s room for an easy way to deep-link into applications. I just think that it’s the responsibility of the platforms, not a third party.
In any case, do you think that Facebook’s interest in App Links is the experience of your users, or its own?