This is really frustrating. I got a report from a user that my app was presenting a black screen on login. After investigation it turned out that the user had an app called XM (https://apps.apple.com/us/app/xm-musi-simple-music-streaming/id1493317998) which was apparently intercepting Spotify URLs and presenting a black screen while it was at it.
As there is no way to prevent 3rd parties from declaring to be able to open Spotify URLs, my proposal to mitigate this is to switch to universal links. Currently the SDK uses the spotify-action://authorize custom scheme and this needs to change to an https scheme to prevent cases like this.
I would also like to highlight the security aspect of it as the URL that XM receives includes:
my client_id
my redirect_uri
my bundle id
URL to be played
and other stuff...
Essentially, XM (accidentally or not) is performing session highjacking and this shouldn't be allowed.
This is really frustrating. I got a report from a user that my app was presenting a black screen on login. After investigation it turned out that the user had an app called XM (https://apps.apple.com/us/app/xm-musi-simple-music-streaming/id1493317998) which was apparently intercepting Spotify URLs and presenting a black screen while it was at it.
As there is no way to prevent 3rd parties from declaring to be able to open Spotify URLs, my proposal to mitigate this is to switch to universal links. Currently the SDK uses the
spotify-action://authorize
custom scheme and this needs to change to anhttps
scheme to prevent cases like this.I would also like to highlight the security aspect of it as the URL that XM receives includes:
Essentially, XM (accidentally or not) is performing session highjacking and this shouldn't be allowed.