Fascinating find with the custom URL scheme hijacking on iOS. The fact that iOS resolves scheme conflicts by install order rather than bundle ID verification is a well-known but underexploited attack surface. This is especially dangerous in health apps where sensitive patient data could be intercepted. Have you tested whether Universal Links with apple-app-site-association would fully mitigate this in production?