Twitter’s news today, buried ahead of the Thanksgiving holiday, is that client apps on iOS and Android will detect the apps you have on your device to aid in the targeting of suggested accounts and advertising.
Kurt Wagner, Re/code:
On iOS, for example, developers can ping a user’s device at any time and recall a list of apps that are currently running on their smartphone. If they ping the device often enough, the developer could piece together a user’s entire app library.
Whilst mostly true, there’s some important details that need clarification.
How Is Twitter Doing This?
My guess on how Twitter is doing this is through URL schemes1. It’s an important distinction to note (though, as an outlet for a not-necessarily-technical audience I won’t knock Re/code for over-simplifying), as Re/code suggests it’s based on what’s running on your device - when in fact it’s based on apps that appear3 to be installed on your device and have been launched. This obviously changes over time, and my beef is simply with the use of “currently running”.
Apps on iOS2 can declare a URL scheme that, when they’re launched for the first time, the system registers to the app. This basically means that if a URL starts with the declared URL scheme, iOS will launch the app and let the app know the full URL that the user (or other app) used. By including extra information as part of the URL, you can effectively deep-link within the app to a specific spot.
twitter://user?screen_name=nikf in Safari will open my profile in Twitter’s app.
Example of a URL scheme with a deep-link
The most important thing about URL schemes, however, is that its implementation in iOS is not one that allows you to ask the system “OK, what URL schemes can the system handle” (unlike on OS X). You have to ask, for every URL scheme your app is aware of, “OK, can you open a URL like
It’s worth noting that the UIKit method that apps can use to see if a device is capable of opening any given URL arrived in iOS 3.0 in 2009, and other apps have used it on a smaller scale to personalise sharing options (in the case of Clear, we use URL schemes to unlock themes if you have certain other apps installed). URL schemes are also used in things like Notification Centre’s Today widgets to launch an app when tapping on an item.
What Can Apple Do About This
Honestly: it’s hard to know. URL schemes are widely used (for everything from app-launching to handling web-service sign in). If Apple wanted to prevent wide-spread use of app detection like this, it could ostensibly require apps to declare the URL schemes the app intends to launch in the app’s configuration (alongside the URL schemes the app itself offers to the system). Similarly, Apple could prevent apps from launching URL schemes for apps that aren’t from the same developer. There’s also, most probably, smarter options that I haven’t thought of.
However. Any of these approaches, whilst shoring up privacy would deal a substantial blow to many apps’ benign workflows. URL schemes are useful to detect specific contextually-relevant actions for the apps on your device - even with the arrival of extensions in iOS 8 - and even web-services that you use in Safari make use of them to open apps.
In short: what Twitter is doing (more than likely) isn’t new - for example, it’s how Facebook switches you to Messenger when tapping on the Messenger item in the tab-bar. It still (more than likely) requires Twitter to build up a substantial database of URL schemes and maintain them - something both handleopenurl.com and Twitter’s own ad products can help with. But that doesn’t make it any less controversial.
Update: One thing I deliberately overlooked was the use of private APIs to detect the currently-running apps. It’s certainly possible with private APIs. But it seems unlikely that any half-serious developer would try slipping this through App Review (if it even got that far).
Update 2: A peek at the contents of Twitter’s “TwitterPlatformResources.bundle” within the iOS app reveals a JSON file containing over 2,500 app URL schemes and their Apple App Store ID.
Update 3: This feature is no longer part of Twitter for iOS.
OS X also supports URL schemes, as you’d expect. However it’s not as neatly abstracted as on iOS. ↩
I say “appear”, as URL schemes that developers add to their apps are intended to be unique but aren’t enforced as unique. So, an app could register another app’s URL scheme. If URL schemes collide, then bets are off as to which app iOS launches. ↩