diff --git a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
index 9eef2d459cd..960f8e1905b 100644
--- a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@@ -255,6 +255,53 @@ adb shell am start -a android.intent.action.VIEW \
 - **Operational tips**: capture multiple payload variants (external URL vs `javascript:`) and replay them quickly against a device/emulator to distinguish real issues (open-redirect/auth-bypass/WebView URL injection) from static-analysis noise.
 - **Automation**: [Deep-C](https://github.com/KishorBal/deep-C) automates deeplink hunting by decompiling the APK (apktool + dex2jar + jadx), enumerating **exported + browsable** activities, correlating weak validation and `WebView.loadUrl` flows, and emitting ready-to-run adb PoCs (optionally auto-executed with `--exec`).
 
+### Custom-scheme handler hijacking of onboarding / auth tokens
+
+Custom schemes are convenient, but they **do not prove ownership**. If an app ships a sensitive onboarding or login flow that places a bearer-like secret inside a URI such as `myapp://bind?code=<token>`, another installed app can register the same scheme and receive the full deep link when the victim opens it from a QR scan, browser, or any other implicit `VIEW` trigger.
+
+Typical attacker manifest:
+
+```xml
+<activity android:name=".StealerActivity" android:exported="true">
+  <intent-filter>
+    <action android:name="android.intent.action.VIEW" />
+    <category android:name="android.intent.category.DEFAULT" />
+    <category android:name="android.intent.category.BROWSABLE" />
+    <data android:scheme="myapp" />
+  </intent-filter>
+</activity>
+```
+
+Minimal interception logic:
+
+```java
+Intent intent = getIntent();
+Uri data = intent.getData();
+String code = data != null ? data.getQueryParameter("code") : null;
+// Exfiltrate or replay the token
+```
+
+Why this matters:
+- If the deep link transports an **authorization code, bootstrap token, magic-login token, device-binding token, password-reset secret, or any other reusable credential**, this becomes an **account takeover / session takeover** primitive instead of just a local intent-routing bug.
+- The issue is especially relevant in **QR-driven mobile onboarding** because users commonly scan with the camera app and then tap the OS "open link" prompt, which triggers an implicit `VIEW` resolution outside the trusted app context.
+
+How to test:
+- Look for authentication-related deep links in manifests, Java/Kotlin, and backend responses (`login`, `bind`, `register`, `signin`, `oauth`, `activate`, `reset`, `magic`).
+- Confirm whether the flow places secrets in URI **query/path parameters** instead of retrieving them through a trusted app-to-backend exchange.
+- Install a PoC app that claims the same scheme and replay the victim flow from every entry point you can reach: QR scan, HTML link, and adb:
+
+```bash
+adb shell am start -a android.intent.action.VIEW \
+  -d "myapp://bind?code=test-token"
+```
+
+- Check whether the attacker app receives the full URI, whether a chooser appears, and whether the intercepted token can be replayed remotely to finish login/onboarding.
+
+Hardening notes:
+- Prefer **verified `https` App Links** over custom schemes for security-sensitive flows.
+- Do not embed reusable secrets in hijackable deep links; bind them to the app/backend session and expire them after one use.
+- If a custom scheme is unavoidable, treat every inbound parameter as attacker-controlled and avoid using it as a standalone authenticator.
+
 
 ## AIDL - Android Interface Definition Language
 
@@ -537,8 +584,10 @@ Tools / scripts that speed-up Binder reconnaissance:
 - [Android manifest provider: writePermission](https://developer.android.com/guide/topics/manifest/provider-element#wprmsn)
 - [Android ContentResolver.update()](https://developer.android.com/reference/android/content/ContentResolver#update(android.net.Uri,%20android.content.ContentValues,%20java.lang.String,%20java.lang.String[]))
 - [Deep-C – Android deep link exploitation framework](https://github.com/KishorBal/deep-C)
+- [Unsafe use of deep links - Android Developers](https://developer.android.com/privacy-and-security/risks/unsafe-use-of-deeplinks)
+- [Create deep links - Android Developers](https://developer.android.com/training/app-links/deep-linking)
+- [Microsoft Authenticator’s Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026-26123)](https://khaledsec.medium.com/microsoft-authenticators-unclaimed-deep-link-a-full-account-takeover-story-cve-2026-26123-e0409a920a02)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
-