In the world of iOS development, Felix Krause is probably about as close as it gets to royalty (he founded the popular fastlane developer toolkit). So, when he published this report a few weeks ago (followed by a part 2), it got a lot of attention.
With these analyses, I feel Felix struck a fairly good balance between highlighting the technical potential for abuse, and clarifying that there is no current evidence of anything nefarious actually happening. Unfortunately — as is often the case — this responsible analysis was thoroughly steamrolled in the coverage of more mainstream media outlets.
This tracking vector is a legitimate security issue in the wrong hands (though not even a particularly new one, if you go back a few decades to the fight around framebusting on the web). But it's no secret why most major apps prefer to roll their own in-app web browsers: they're highly incentivized to control the end-to-end experience, because that helps keep users inside their walled gardens.
Personally, I'd love to see some of Felix's suggested mitigations get implemented. In addition to solving the security issues, this would also eliminate a few of the biggest headaches around consistent, fully-functional app deep linking.
But in the meantime, it's a reminder: give your users a reliable, deep linked path out of these walled gardens and into your own app. Whether you have a smart banner or just a basic CTA button, it'll help you ensure the security of your users and the full ownership of their engagement.