This is a classic reminder of why custom URL schemes are no longer sufficient for sensitive apps. iOS deep links can be powerful, but without proper validation they become an easy attack surface for hijacking flows between apps—especially in health-related use cases where data exposure is critical. The real issue isn’t just the scheme itself, but the lack of enforced ownership and input validation on the receiving side. Moving toward Universal Links with proper domain association, strict parameter validation, and authentication checks should be the baseline. Anything less is basically leaving the door half open for abuse.