The x-callback-url specification has been updated to R3, with the addition of a brief section on security concerns. Recommending security methods is beyond the scope of the specification, but I thought it was a good idea to be encouraging developers to at least consider the security implications of adding URL scheme actions to their apps.
URLs are inherently anonymous and subject to attacks using maliciously constructed URLs placed in emails, web pages, etc., and your apps should be ready for that possibility.
Comments on improve this section are welcome.