The simplest choice would be to whitelist the iOS iPhone and iPad user agents for Safari 6 and above, Chrome 23 and above. The downside is that you'll miss apps that have implemented Passbook support into their UIWebView implementation.
A blanket ban on the UIWebView UA string would not be effective because:
- The app author is free to change the UIWebView user agent string
- You would block access for apps that have implemented Passbook support
The Facebook app is a good example of one that has both changed the UA string and implemented Passbook support. The Twitter app has changed the UA string but has not implemented Passbook support.
So option 2 could be to create a blacklist of apps known not to have implemented support. Scanning this QR will reveal the user agent string of the browser, which may help. The key is using a suitable regex to account for variations in the OS and app version, but avoid false positives.
A third option would be be to use Javascript to display a prominent message that instructs the user to open the link in Safari if they the app browser stops responding and then redirect to the .pkpass bundle.