Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App

Hi, This is an interesting vulnerability, when a Shopify app whose `redirect_uri` points to a malformed URI handler like **shit:google.com** gets installed to a Shop then, it will effectively prevent the admins to see and remove installed apps to his/her shop. **Reproduction** 1. Create a Shopify App at https://app.shopify.com/services/partners/api_clients/new 2. Enter any for the App and set its **Application Callback URL** to **shit:google.com** 3. Save the App. 4. Create an OAuth URL for the App, Like - https://vulnstore.myshopify.com/admin/oauth/authorize?scope=read_customers&client_id=cad94488c733b0f377a9a1d7952db802 5. Now try to install the app by clicking "Install <AppName>" in the OAuth permission dialogue. It won't redirect after clicking. 6. Go and visit https://vulnstore.myshopify.com/admin/apps The page will throw internal server 500 and usual error message. This will not let admin remove any of his app till the *malicious app* is deleted by the app developer. POC App: https://[store].myshopify.com/admin/oauth/authorize?scope=read_customers&client_id=cad94488c733b0f377a9a1d7952db802 If you have any doubt in reproduction, you can watch the following short screencast as well - https://www.dropbox.com/s/1h8gjg07r5h9gkj/Shopify%20DoS.mov?dl=0 Regards, Prakhar Prasad