Re: This ought to be a standard
This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones.
The problem here is trusting any url, especially one presented to you in an app. The reason CLICK HERE is used so often is that social engineering works for every none, not just evil hackers.
There are manifold further problems with URLs: If I sent you a link to example.com/thisisreallysafe/ how do you know I am not going to use a dynamic rewrite to send you to example.com/thisisreallybadshiz ? Do you mitigate this by only going to links on sites you already know and trust the TLD?
Millions of people click on links to new sites and services every day. Few are as obvious as example.com/exploitkitpage.