The mobile application registers deep link schemes that can be hijacked by a malicious application installed on the same device, intercepting sensitive data passed through URL schemes.
A malicious application could intercept OAuth callbacks, password reset tokens, or other sensitive data passed through deep links, leading to account takeover or data theft.
Use Universal Links (iOS) and App Links (Android) instead of custom URL schemes. Validate the source of deep link data. Implement server-side verification for sensitive operations initiated via deep links.