From 7b32ee22a8686dd857d5a91368b3d3924063648d Mon Sep 17 00:00:00 2001
From: ScreaM <70141504+ScreaMy7@users.noreply.github.com>
Date: Thu, 4 Sep 2025 13:30:09 +0000
Subject: [PATCH 1/4] added testing deeplinks
---
.../AndroidManifest_reversed.xml | 86 +++++++++++++++++++
.../MASTG-DEMO-0062/MASTG-DEMO-0062.md | 32 +++++++
.../MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt | 32 +++++++
.../MASTG-DEMO-0062/MastgTest_reversed.java | 37 ++++++++
.../MASVS-CODE/MASTG-DEMO-0062/output.txt | 12 +++
.../android/MASVS-CODE/MASTG-DEMO-0062/run.sh | 2 +
.../MASTG-DEMO-0063/MASTG-DEMO-0063.md | 32 +++++++
.../MASVS-CODE/MASTG-DEMO-0063/output.txt | 19 ++++
.../android/MASVS-CODE/MASTG-DEMO-0063/run.sh | 2 +
rules/mastg-android-autoverify-missing.yml | 24 ++++++
...astg-android-unvalidated-deeplink-data.yml | 15 ++++
.../android/MASVS-CODE/MASTG-TEST-0288.md | 24 ++++++
.../android/MASVS-CODE/MASTG-TEST-0289.md | 24 ++++++
13 files changed, 341 insertions(+)
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
create mode 100644 rules/mastg-android-autoverify-missing.yml
create mode 100644 rules/mastg-android-unvalidated-deeplink-data.yml
create mode 100644 tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
create mode 100644 tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml b/demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml
new file mode 100644
index 00000000000..b7eb49e712e
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml
@@ -0,0 +1,86 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
new file mode 100644
index 00000000000..3667a5979cd
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
@@ -0,0 +1,32 @@
+---
+platform: android
+title: Unvalidated URL from Deep Link Loaded in WebView with semgrep
+id: MASTG-DEMO-0062
+code: [kotlin]
+test: MASTG-TEST-0288
+status: new
+---
+
+### Sample
+
+The following is a sample code file that contains a function to handle a deep link, which insecurely loads a URL into a WebView.
+
+{{ MastgTest_reversed.java }}
+
+### Steps
+
+Let's run @MASTG-TOOL-0110 rules against the sample code.
+
+{{ ../../../../rules/mastg-android-unvalidated-deeplink-data.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified a dangerous data flow from a source `getQueryParameter` to a sink `loadUrl`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the app loads a user-controllable URL from a deep link directly into a WebView without validation.
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt
new file mode 100644
index 00000000000..fc6c35d7ce5
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt
@@ -0,0 +1,32 @@
+package org.owasp.mastestapp
+
+import android.annotation.SuppressLint
+import android.content.Context
+import android.net.Uri
+import android.webkit.WebView
+import androidx.activity.ComponentActivity
+
+class MastgTest(private val context: Context) {
+
+ fun mastgTest(): String {
+ return """
+ This app is vulnerable to deep link attacks.
+
+ Test with:
+ adb shell am start -a android.intent.action.VIEW -d "vulnerable-app://deeplink?url=https://example.com"
+ """.trimIndent()
+ }
+
+ @SuppressLint("SetJavaScriptEnabled")
+ fun processDeepLinkAndLoad(uri: Uri?) {
+ if (uri == null) return
+
+ val url = uri.getQueryParameter("url")
+ if (url != null) {
+ val webView = WebView(context)
+ webView.settings.javaScriptEnabled = true
+ webView.loadUrl(url)
+ (context as ComponentActivity).setContentView(webView)
+ }
+ }
+}
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java
new file mode 100644
index 00000000000..86c441acf7f
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java
@@ -0,0 +1,37 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.net.Uri;
+import android.webkit.WebView;
+import androidx.activity.ComponentActivity;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000$\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\u0006\u001a\u00020\u0007J\u0012\u0010\b\u001a\u00020\t2\b\u0010\n\u001a\u0004\u0018\u00010\u000bH\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\f"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "", "(Landroid/content/Context;)V", "mastgTest", "", "processDeepLinkAndLoad", "", "uri", "Landroid/net/Uri;", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+ public static final int $stable = 8;
+ private final Context context;
+
+ public MastgTest(Context context) {
+ Intrinsics.checkNotNullParameter(context, "context");
+ this.context = context;
+ }
+
+ public final String mastgTest() {
+ return "This app is vulnerable to deep link attacks.\n\nTest with:\nadb shell am start -a android.intent.action.VIEW -d \"vulnerable-app://deeplink?url=https://example.com\"";
+ }
+
+ public final void processDeepLinkAndLoad(Uri uri) {
+ String url;
+ if (uri != null && (url = uri.getQueryParameter("url")) != null) {
+ WebView webView = new WebView(this.context);
+ webView.getSettings().setJavaScriptEnabled(true);
+ webView.loadUrl(url);
+ Context context = this.context;
+ Intrinsics.checkNotNull(context, "null cannot be cast to non-null type androidx.activity.ComponentActivity");
+ ((ComponentActivity) context).setContentView(webView);
+ }
+ }
+}
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
new file mode 100644
index 00000000000..6acac5be23d
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
@@ -0,0 +1,12 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+ MastgTest_reversed.java
+ ❯❱ android-unvalidated-deeplink-data
+ Unvalidated data from a deep link's query parameter is loaded directly into a WebView.
+
+ 31┆ webView.loadUrl(url);
+
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
new file mode 100644
index 00000000000..229eb52f4fd
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
@@ -0,0 +1,2 @@
+# shellcheck disable=SC2148
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-unvalidated-deeplink-data.yml MastgTest_reversed.java > output.txt
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md b/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
new file mode 100644
index 00000000000..c4720cd21ef
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
@@ -0,0 +1,32 @@
+---
+platform: android
+title: Deep Link Intent Filter Missing android:autoVerify with semgrep
+id: MASTG-DEMO-0063
+code: [kotlin]
+test: MASTG-TEST-0289
+status: new
+---
+
+### Sample
+
+The following is a sample `AndroidManifest.xml` snippet that defines a deep link intent filter without the `android:autoVerify="true"` attribute.
+
+{{ ../MASTG-DEMO-0062/AndroidManifest_reversed.xml }}
+
+### Steps
+
+Let's run @MASTG-TOOL-0110 rules against the sample manifest.
+
+{{ ../../../../rules/mastg-android-autoverify-missing.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified that the deep link intent filter is missing the `android:autoVerify="true"` attribute.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the app does not enforce Android App Links verification. Without `android:autoVerify="true"`, malicious apps may intercept the app’s deep links, leading to phishing or hijacking attacks.
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
new file mode 100644
index 00000000000..05fe5ad072f
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
@@ -0,0 +1,19 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+ AndroidManifest_reversed.xml
+ ❯❱ android-autoverify-missing
+ Deep link intent filter is missing the 'android:autoVerify="true"' attribute. Without this, a
+ malicious app could intercept app's deep links.
+
+ 33┆
+ 34┆
+ 35┆
+ 36┆
+ 37┆
+ 40┆
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
new file mode 100644
index 00000000000..889542ca1a4
--- /dev/null
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
@@ -0,0 +1,2 @@
+# shellcheck disable=SC2148
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ../MASTG-DEMO-0062/AndroidManifest_reversed.xml --text -o output.txt
\ No newline at end of file
diff --git a/rules/mastg-android-autoverify-missing.yml b/rules/mastg-android-autoverify-missing.yml
new file mode 100644
index 00000000000..e3b4d772b56
--- /dev/null
+++ b/rules/mastg-android-autoverify-missing.yml
@@ -0,0 +1,24 @@
+rules:
+- id: android-autoverify-missing
+ languages:
+ - xml
+ severity: WARNING
+ metadata:
+ summary: This rule looks for unsecure deeplink.
+ message: "Deep link intent filter is missing the 'android:autoVerify=\"true\"' attribute. Without this, a malicious app could intercept app's deep links."
+ patterns:
+ - pattern-inside: |
+
+ ...
+
+ - pattern: |
+
+
+
+
+
+
+ - pattern-not: |
+
+ ...
+
diff --git a/rules/mastg-android-unvalidated-deeplink-data.yml b/rules/mastg-android-unvalidated-deeplink-data.yml
new file mode 100644
index 00000000000..655b317f2bb
--- /dev/null
+++ b/rules/mastg-android-unvalidated-deeplink-data.yml
@@ -0,0 +1,15 @@
+rules:
+- id: android-unvalidated-deeplink-data
+ languages:
+ - java
+ severity: WARNING
+ metadata:
+ summary: This rule looks for unsecure deeplink.
+ message: "Unvalidated data from a deep link's query parameter is loaded directly into a WebView."
+ mode: taint
+ pattern-sources:
+ # Source: Data originating from the intent's URI parameter.
+ - pattern: $URI.getQueryParameter(...)
+ pattern-sinks:
+ # Sink: The unvalidated data is loaded into a WebView.
+ - pattern: $WEBVIEW.loadUrl(...)
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
new file mode 100644
index 00000000000..7f6830b217c
--- /dev/null
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
@@ -0,0 +1,24 @@
+---
+title: Unvalidated URL from Deep Link Loaded in WebView
+platform: android
+id: MASTG-TEST-0288
+type: [static]
+weakness: MASWE-0088
+profiles: [L1, L2]
+---
+
+### Overview
+
+This vulnerability occurs when an application receives a URL from an external source, such as a deep link's query parameter, and loads it into a WebView without proper validation. A malicious application could send a specially crafted Intent containing a deep link with a malicious URL. When the vulnerable app's WebView loads this URL, the embedded script executes within the context of the app, leading to a Cross-Site Scripting (XSS) vulnerability. This can be used to steal session cookies, inject fake content, or perform actions on behalf of the user.
+
+### Steps
+
+Run a static ancalysis tool such as @MASTG-TOOL-0110 on the codebase to detect data flows from deep link parameters (e.g., `getQueryParameter()`) to dangerous sinks (e.g., `WebView.loadUrl()`).
+
+### Observation
+
+The output file shows a data flow where data from an Intent is used in `WebView.loadUrl()` without prior sanitization or validation.
+
+### Evaluation
+
+The test fails due to the application loading an unvalidated URL from an untrusted Intent extra into a WebView. A malicious application can create an Intent with a deep link containing a URL pointing to a malicious website. When this URL is loaded by the vulnerable WebView, the user is redirected to the attacker's site.
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
new file mode 100644
index 00000000000..4e24edc8ffe
--- /dev/null
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
@@ -0,0 +1,24 @@
+---
+title: Deep Link Intent Filter Missing android:autoVerify
+platform: android
+id: MASTG-TEST-0289
+type: [static]
+weakness: MASWE-0058
+profiles: [L1, L2]
+---
+
+### Overview
+
+This vulnerability occurs when an application defines a deep link intent filter in its `AndroidManifest.xml` without the `android:autoVerify="true"` attribute. Without this attribute, Android App Links verification is not enforced, do the android operating system cannot confirm that the app legitimately owns the declared domain. As a result, a malicious app can register the same intent filter and intercept deep links, leading to phishing, credential theft, or hijacking of user actions.
+
+### Steps
+
+Run a static analysis tool such as @MASTG-TOOL-0110 on the `AndroidManifest.xml` to detect deep link intent filters that are missing the `android:autoVerify="true"` attribute.
+
+### Observation
+
+The output shows a `` that define deep links but do not include the `android:autoVerify="true"` attribute.
+
+### Evaluation
+
+The test fails because the application does not enforce App Links verification. Without `android:autoVerify="true"`, malicious apps can intercept and handle the app’s deep links, redirecting users to attacker-controlled content.
From 516166acf4e2b31fcabd315dd3d1de8fb16e6a6f Mon Sep 17 00:00:00 2001
From: ScreaM <70141504+ScreaMy7@users.noreply.github.com>
Date: Mon, 15 Sep 2025 17:33:13 +0530
Subject: [PATCH 2/4] after review
---
.../android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md | 4 ++--
demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt | 8 ++++----
demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh | 3 +--
.../android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md | 2 +-
demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt | 8 ++++----
demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh | 1 -
rules/mastg-android-autoverify-missing.yml | 6 +++---
rules/mastg-android-unvalidated-deeplink-data.yml | 6 +++---
tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md | 2 +-
tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md | 4 ++--
10 files changed, 21 insertions(+), 23 deletions(-)
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
index 3667a5979cd..bc931aeaaf6 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
@@ -11,7 +11,7 @@ status: new
The following is a sample code file that contains a function to handle a deep link, which insecurely loads a URL into a WebView.
-{{ MastgTest_reversed.java }}
+{{ MastgTest.kt # MastgTest_reversed.java }}
### Steps
@@ -23,7 +23,7 @@ Let's run @MASTG-TOOL-0110 rules against the sample code.
### Observation
-The rule has identified a dangerous data flow from a source `getQueryParameter` to a sink `loadUrl`.
+The output file shows usage of dangerous data flow from a source `getQueryParameter` to a sink `loadUrl`.
{{ output.txt }}
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
index 6acac5be23d..d9918f6ed7d 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
@@ -1,12 +1,12 @@
+
┌────────────────┐
│ 1 Code Finding │
└────────────────┘
-
+
MastgTest_reversed.java
❯❱ android-unvalidated-deeplink-data
- Unvalidated data from a deep link's query parameter is loaded directly into a WebView.
-
+ [MASVS-PLATFORM] Unvalidated deep link query parameters are directly loaded into a WebView.
+
31┆ webView.loadUrl(url);
-
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
index 229eb52f4fd..2511a1f2114 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
@@ -1,2 +1 @@
-# shellcheck disable=SC2148
-NO_COLOR=true semgrep -c ../../../../rules/mastg-android-unvalidated-deeplink-data.yml MastgTest_reversed.java > output.txt
\ No newline at end of file
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-unvalidated-deeplink-data.yml ./MastgTest_reversed.java > output.txt
\ No newline at end of file
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md b/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
index c4720cd21ef..0e50b056020 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
@@ -29,4 +29,4 @@ The rule has identified that the deep link intent filter is missing the `android
### Evaluation
-The test fails because the app does not enforce Android App Links verification. Without `android:autoVerify="true"`, malicious apps may intercept the app’s deep links, leading to phishing or hijacking attacks.
+The test fails because the app does not enforce Android App Links verification. Without `android:autoVerify="true"`, malicious apps may intercept the app's deep links, leading to phishing or hijacking attacks.
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
index 05fe5ad072f..ee3f765523b 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
@@ -1,4 +1,4 @@
-
+
┌────────────────┐
│ 1 Code Finding │
@@ -6,9 +6,9 @@
AndroidManifest_reversed.xml
❯❱ android-autoverify-missing
- Deep link intent filter is missing the 'android:autoVerify="true"' attribute. Without this, a
- malicious app could intercept app's deep links.
-
+ [MASVS-PLATFORM] Deep link intent filter missing android:autoVerify="true",enabling
+ malicious apps to hijack links.
+
33┆
34┆
35┆
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
index 889542ca1a4..71760827ad8 100644
--- a/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
+++ b/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
@@ -1,2 +1 @@
-# shellcheck disable=SC2148
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ../MASTG-DEMO-0062/AndroidManifest_reversed.xml --text -o output.txt
\ No newline at end of file
diff --git a/rules/mastg-android-autoverify-missing.yml b/rules/mastg-android-autoverify-missing.yml
index e3b4d772b56..5dfece51dcb 100644
--- a/rules/mastg-android-autoverify-missing.yml
+++ b/rules/mastg-android-autoverify-missing.yml
@@ -1,11 +1,11 @@
rules:
- id: android-autoverify-missing
+ severity: WARNING
languages:
- xml
- severity: WARNING
metadata:
- summary: This rule looks for unsecure deeplink.
- message: "Deep link intent filter is missing the 'android:autoVerify=\"true\"' attribute. Without this, a malicious app could intercept app's deep links."
+ summary: This rule looks for insecure deep link configurations.
+ message: '[MASVS-PLATFORM] Deep link intent filter missing android:autoVerify="true",enabling malicious apps to hijack links.'
patterns:
- pattern-inside: |
diff --git a/rules/mastg-android-unvalidated-deeplink-data.yml b/rules/mastg-android-unvalidated-deeplink-data.yml
index 655b317f2bb..beb25f7d889 100644
--- a/rules/mastg-android-unvalidated-deeplink-data.yml
+++ b/rules/mastg-android-unvalidated-deeplink-data.yml
@@ -1,11 +1,11 @@
rules:
- id: android-unvalidated-deeplink-data
+ severity: WARNING
languages:
- java
- severity: WARNING
metadata:
- summary: This rule looks for unsecure deeplink.
- message: "Unvalidated data from a deep link's query parameter is loaded directly into a WebView."
+ summary: This rule looks for insecure deep link configurations.
+ message: "[MASVS-PLATFORM] Unvalidated deep link query parameters are directly loaded into a WebView."
mode: taint
pattern-sources:
# Source: Data originating from the intent's URI parameter.
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
index 7f6830b217c..37b98a6ca64 100644
--- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
@@ -9,7 +9,7 @@ profiles: [L1, L2]
### Overview
-This vulnerability occurs when an application receives a URL from an external source, such as a deep link's query parameter, and loads it into a WebView without proper validation. A malicious application could send a specially crafted Intent containing a deep link with a malicious URL. When the vulnerable app's WebView loads this URL, the embedded script executes within the context of the app, leading to a Cross-Site Scripting (XSS) vulnerability. This can be used to steal session cookies, inject fake content, or perform actions on behalf of the user.
+This vulnerability arises when an app accepts a URL from an external source such as a deep link query parameter and loads it into a WebView without validation. An attacker can craft a malicious Intent containing a deep link with a harmful URL. When loaded, the WebView executes the embedded script in the app’s context, resulting in a Cross-Site Scripting (XSS) vulnerability. This could allow theft of session cookies, injection of fake content, or unauthorized actions on behalf of the user.
### Steps
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
index 4e24edc8ffe..9529367062b 100644
--- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
@@ -9,7 +9,7 @@ profiles: [L1, L2]
### Overview
-This vulnerability occurs when an application defines a deep link intent filter in its `AndroidManifest.xml` without the `android:autoVerify="true"` attribute. Without this attribute, Android App Links verification is not enforced, do the android operating system cannot confirm that the app legitimately owns the declared domain. As a result, a malicious app can register the same intent filter and intercept deep links, leading to phishing, credential theft, or hijacking of user actions.
+This vulnerability occurs when a deep link intent filter in `AndroidManifest.xml` lacks the `android:autoVerify="true"` attribute. Without verification, Android cannot confirm the app's ownership of the declared domain. A malicious app could register the same intent filter and intercept deep links, enabling phishing, credential theft, or hijacking of user actions.
### Steps
@@ -21,4 +21,4 @@ The output shows a `` that define deep links but do not include t
### Evaluation
-The test fails because the application does not enforce App Links verification. Without `android:autoVerify="true"`, malicious apps can intercept and handle the app’s deep links, redirecting users to attacker-controlled content.
+The test fails as App Links verification is not enforced. Without `android:autoVerify="true"`, malicious apps can hijack deep links and redirect users to attacker-controlled content.
From bdb97d816bbea858438713bae761656032ac416d Mon Sep 17 00:00:00 2001
From: ScreaM <70141504+ScreaMy7@users.noreply.github.com>
Date: Mon, 15 Sep 2025 17:34:34 +0530
Subject: [PATCH 3/4] md fix
---
tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
index 37b98a6ca64..bc341a3ad63 100644
--- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
+++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
@@ -9,7 +9,7 @@ profiles: [L1, L2]
### Overview
-This vulnerability arises when an app accepts a URL from an external source such as a deep link query parameter and loads it into a WebView without validation. An attacker can craft a malicious Intent containing a deep link with a harmful URL. When loaded, the WebView executes the embedded script in the app’s context, resulting in a Cross-Site Scripting (XSS) vulnerability. This could allow theft of session cookies, injection of fake content, or unauthorized actions on behalf of the user.
+This vulnerability arises when an app accepts a URL from an external source such as a deep link query parameter and loads it into a WebView without validation. An attacker can craft a malicious Intent containing a deep link with a harmful URL. When loaded, the WebView executes the embedded script in the app's context, resulting in a Cross-Site Scripting (XSS) vulnerability. This could allow theft of session cookies, injection of fake content, or unauthorized actions on behalf of the user.
### Steps
From afbe8b6df8b37364b6d773a0daeb45c8bcf2584b Mon Sep 17 00:00:00 2001
From: ScreaM <70141504+ScreaMy7@users.noreply.github.com>
Date: Wed, 17 Sep 2025 17:14:52 +0530
Subject: [PATCH 4/4] moved to platform
---
.../MASTG-DEMO-0062/AndroidManifest_reversed.xml | 0
.../MASTG-DEMO-0062/MASTG-DEMO-0062.md | 0
.../MASTG-DEMO-0062/MastgTest.kt | 0
.../MASTG-DEMO-0062/MastgTest_reversed.java | 0
.../{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/output.txt | 0
.../{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/run.sh | 0
.../MASTG-DEMO-0063/MASTG-DEMO-0063.md | 0
.../{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0063/output.txt | 0
.../{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0063/run.sh | 0
.../MASTG-TEST-0288.md => MASVS-PLATFORM/MASTG-TEST-0292.md} | 2 +-
.../MASTG-TEST-0289.md => MASVS-PLATFORM/MASTG-TEST-0293.md} | 2 +-
tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md | 3 +++
12 files changed, 5 insertions(+), 2 deletions(-)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/AndroidManifest_reversed.xml (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/MASTG-DEMO-0062.md (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/MastgTest.kt (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/MastgTest_reversed.java (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/output.txt (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0062/run.sh (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0063/MASTG-DEMO-0063.md (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0063/output.txt (100%)
rename demos/android/{MASVS-CODE => MASVS-PLATFORM}/MASTG-DEMO-0063/run.sh (100%)
rename tests-beta/android/{MASVS-CODE/MASTG-TEST-0288.md => MASVS-PLATFORM/MASTG-TEST-0292.md} (98%)
rename tests-beta/android/{MASVS-CODE/MASTG-TEST-0289.md => MASVS-PLATFORM/MASTG-TEST-0293.md} (98%)
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/AndroidManifest_reversed.xml
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/AndroidManifest_reversed.xml
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/AndroidManifest_reversed.xml
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MASTG-DEMO-0062.md
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/MASTG-DEMO-0062.md
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MASTG-DEMO-0062.md
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest.kt
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest.kt
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest.kt
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest_reversed.java
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/MastgTest_reversed.java
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest_reversed.java
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/output.txt
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/output.txt
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/output.txt
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/run.sh
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0062/run.sh
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/run.sh
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0063/MASTG-DEMO-0063.md
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/output.txt
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0063/output.txt
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/output.txt
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/run.sh
similarity index 100%
rename from demos/android/MASVS-CODE/MASTG-DEMO-0063/run.sh
rename to demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/run.sh
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md
similarity index 98%
rename from tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
rename to tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md
index bc341a3ad63..690f555d422 100644
--- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md
+++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md
@@ -1,7 +1,7 @@
---
title: Unvalidated URL from Deep Link Loaded in WebView
platform: android
-id: MASTG-TEST-0288
+id: MASTG-TEST-0292
type: [static]
weakness: MASWE-0088
profiles: [L1, L2]
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md
similarity index 98%
rename from tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
rename to tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md
index 9529367062b..51edd419cba 100644
--- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0289.md
+++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md
@@ -1,7 +1,7 @@
---
title: Deep Link Intent Filter Missing android:autoVerify
platform: android
-id: MASTG-TEST-0289
+id: MASTG-TEST-0293
type: [static]
weakness: MASWE-0058
profiles: [L1, L2]
diff --git a/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md b/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
index c3baf7ad929..643ac4956cd 100644
--- a/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
+++ b/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
@@ -9,6 +9,9 @@ masvs_v1_levels:
- L1
- L2
profiles: [L1, L2]
+status: deprecated
+covered_by: [MASTG-TEST-0292],[MASTG-TEST-0293]
+deprecation_note: New version available in MASTG V2
---
## Overview