From 3d19e54d568e7147c16b6ca8761d0705d7e0bf27 Mon Sep 17 00:00:00 2001
From: Prince Mathew <prince.mathew@okta.com>
Date: Mon, 3 Mar 2025 00:32:35 +0530
Subject: [PATCH] Updated readme to recommend users to use applinks with https
 scheme

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index e824ab48..030ed755 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,8 @@ The callback will get invoked when the user returns to your application. There a
 
 ##### A note about App Deep Linking:
 
+> Whenever possible, Auth0 recommends using [Android App Links](https://auth0.com/docs/applications/enable-android-app-links) as a secure way to link directly to content within your app. Custom URL schemes can be subject to [client impersonation attacks](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6).
+
 If you followed the configuration steps documented here, you may have noticed the default scheme used for the Callback URI is `https`. This works best for Android API 23 or newer if you're using [Android App Links](https://auth0.com/docs/applications/enable-android-app-links), but in previous Android versions this _may_ show the intent chooser dialog prompting the user to choose either your application or the browser. You can change this behaviour by using a custom unique scheme so that the OS opens directly the link with your app.
 
 1. Update the `auth0Scheme` Manifest Placeholder on the `app/build.gradle` file or update the intent-filter declaration in the `AndroidManifest.xml` to use the new scheme.