Thank you for contacting us and we apologize for your inconvenience.
Let me walk you briefly through our qr codes logic.
As you've noticed, we use custom scheme along with numerous arguments to get the adhoc build URLs generated. These URLs are not insecure in any way - they're just long, containing specific, but not sensitive data that we use on our server side.
To have the URLs prettier we use a third party service - in this case bit.ly. But sometimes there are issues with the integration, so to keep everything running, we fallback to the real URLs.
Some QR code readers, though, do not treat URLs with custom schemes as real URLs, and do not open them in the browser automatically. If you copy the URL in the browser it will work. Or you can try some other QR code reader - as we are talking about adhoc builds, I tested with this QRReader app
for iPhone and it worked.
I hope this helps and clarifies the issue.
We expect to have the bit.ly service working in AppBuilder properly by the end of the month.
Let me know if I can be in any further assistance.