Port MASTG-TEST-0028: Testing for Testing Deep Links (android) (by @appknox) #3463
Conversation
There was a problem hiding this comment.
@ScreaMy7
I see that a lot of the information contained in this test is being lost right now. Please consider porting it all:
- What information is knowledge and belongs in https://mas.owasp.org/MASTG/knowledge/android/MASVS-PLATFORM/MASTG-KNOW-0019/
- What information describes best practices and should be added to a new
MASTG-BEST-XXXX? (each test should have at least one best practice linked) - What techniques are here that don't have a MASTG-TECH-XXXX entry? e.g.
- "Check for Deep Link Usage"
- "Check for Correct Website Association"
- "Monitoring Deep Links"
- "Invoking Deep Links"
- etc
- What tools are used and don't have a MASTG-TOOL-XXXX entry? e.g. "Android App Link Verification Tester"
- What tests are missing?
- "Use of Unverified App Links"
- "Use of Unverified Custom URL Schemes"
- "Use of Verified App Links with Incorrect Website Association"
| @@ -0,0 +1,24 @@ | |||
| --- | |||
| title: Deep Link Intent Filter Missing android:autoVerify | |||
There was a problem hiding this comment.
This should be "Use of Unverified App Links" plus an additional "Use of Unverified Custom URL Schemes" which is now missing.
|
Also please use "fake IDs" (e.g. MASTG-TEST-0x28-1, MASTG-TEST-0x28-2, MASTG-DEMO-00xx-1, MASTG-DEMO-00xx-2) until we're ready to merge, to avoid conflicts. |
cpholguera
changed the title
|
@ScreaMy7 any news on this? |
|
@cpholguera I have added new demos, a tool and the new technique also contain invoking and monitoring deeplinks. Please review. |
There was a problem hiding this comment.
Pull request overview
This PR ports MASTG-TEST-0028 (Testing Deep Links on Android) from the legacy format to MASTG V2 structure. It deprecates the old test and creates three new focused tests covering different deep link security aspects, along with comprehensive supporting documentation.
- Creates three new deep link security tests (MASTG-TEST-XXXA, MASTG-TEST-XXXB, MASTG-TEST-0295) covering WebView URL validation, autoVerify attribute, and custom URL schemes
- Adds new technique document (MASTG-TECH-XXXX) with detailed procedures for deep link testing including verification, monitoring, and invocation
- Provides three complete demos with Semgrep rules, sample code, and expected outputs
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 26 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md | Marks the legacy test as deprecated with references to new replacement tests |
| tests-beta/android/MASVS-PLATFORM/MASTG-TEST-XXXA.md | New test for detecting unvalidated deep link URLs loaded into WebViews |
| tests-beta/android/MASVS-PLATFORM/MASTG-TEST-XXXB.md | New test for detecting missing android:autoVerify attribute in intent filters |
| tests-beta/android/MASVS-PLATFORM/MASTG-TEST-XXXC.md | New test (ID: MASTG-TEST-0295) for detecting use of unverified custom URL schemes |
| techniques/android/MASTG-TECH-XXXX.md | Comprehensive technique document covering deep link detection, validation, monitoring, and invocation |
| tools/android/MASTG-TOOL-014X.md | Documents the App Link Verification command-line tool |
| rules/mastg-android-unvalidated-deeplink-data.yml | Semgrep taint rule for detecting unvalidated deep link data flows to WebView |
| rules/mastg-android-custom-deeplink-scheme.yml | Semgrep rule for detecting custom URL schemes in intent filters |
| rules/mastg-android-autoverify-missing.yml | Semgrep rule for detecting missing autoVerify attribute |
| demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXA/* | Complete demo for WebView deep link vulnerability with Kotlin source, reversed Java, manifest, and Semgrep output |
| demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXB/* | Complete demo for missing autoVerify attribute with manifest and Semgrep output |
| demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXC/* | Complete demo for custom URL scheme vulnerability with Kotlin source, reversed Java, manifest, and Semgrep output |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXC/MASTG-DEMO-XXXC.md
Outdated
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXB/MASTG-DEMO-XXXB.md
Outdated
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXB/MASTG-DEMO-XXXB.md
Outdated
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXC/MASTG-DEMO-XXXC.md
Outdated
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXB/MASTG-DEMO-XXXB.md
Outdated
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXA/MASTG-DEMO-XXXA.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Steps | ||
|
|
||
| 1. Run a static analysis tool such as @MASTG-TOOL-0110 on the `AndroidManifest.xml` to list the `VIEW/BROWSABLE` intent-filters declaring non-HTTP(S) schemes. |
There was a problem hiding this comment.
No tools in tests.
Correct words "intent filter".
|
|
||
| ## Evaluation | ||
|
|
||
| The test fails if the app relies on custom URL schemes for high-risk operations that should use verified App Links (HTTPS) with Digital Asset Links. Mitigations include migrating to App Links for exclusivity or implementing robust in-app validation and user confirmation. |
There was a problem hiding this comment.
No mitigations in tests. Add best-practices in the metadata.
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXA/AndroidManifest_reversed.xml
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXB/AndroidManifest_reversed.xml
Show resolved
Hide resolved
demos/android/MASVS-PLATFORM/MASTG-DEMO-XXXC/AndroidManifest_reversed.xml
Show resolved
Hide resolved
| status: new | ||
| --- | ||
|
|
||
| ### Overview |
There was a problem hiding this comment.
Demos don't have an Overview section
|
|
||
| This demo references a manifest that declares a custom scheme: | ||
|
|
||
| {{ AndroidManifest_reversed.xml }} |
There was a problem hiding this comment.
Original manifest missing
|
@ScreaMy7 please take a look. There are review comments from December and today. |
|
@cpholguera I have added the changes. Please review. |
| type: [static] | ||
| weakness: MASWE-0071 | ||
| profiles: [L1, L2] | ||
| knowledge: [MASTG-KNOW-0019] |
There was a problem hiding this comment.
knowledge: [MASTG-KNOW-0019] references a knowledge page that doesn't exist anywhere under knowledge/ in this repo. Either reference an existing MASTG-KNOW-#### entry or add the missing knowledge page and use its actual ID.
| knowledge: [MASTG-KNOW-0019] |
|
|
||
| ## Evaluation | ||
|
|
||
| The test fails if the app relies on custom URL schemes for high-risk operations that should use verified App Links (HTTPS) with Digital Asset Links. |
There was a problem hiding this comment.
Evaluation should start with "The test case fails if ..." to match the standard test template used in tests-beta (for example tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0316.md).
| The test fails if the app relies on custom URL schemes for high-risk operations that should use verified App Links (HTTPS) with Digital Asset Links. | |
| The test case fails if the app relies on custom URL schemes for high-risk operations that should use verified App Links (HTTPS) with Digital Asset Links. |
| android:scheme="vulnerable-app" | ||
| android:host="deeplink"/> |
There was a problem hiding this comment.
This demo is intended to illustrate missing App Links verification (android:autoVerify), but the intent-filter shown uses a custom scheme (android:scheme="vulnerable-app"). App Links are HTTPS URLs; android:autoVerify is not applicable to custom schemes. Update the sample to use an https scheme + host (and keep android:autoVerify absent) so the demo and rule match the real failure mode.
| android:scheme="vulnerable-app" | |
| android:host="deeplink"/> | |
| android:scheme="https" | |
| android:host="vulnerable-app.example"/> |
| rules: | ||
| - id: android-autoverify-missing | ||
| severity: WARNING |
There was a problem hiding this comment.
Rule IDs in this repo typically use the mastg-android-... prefix (matching the filename), but this new rule uses android-autoverify-missing. Consider renaming the rule id to follow the established prefixing so references and output are consistent.
| rules: | ||
| - id: android-custom-deeplink-intent-filter | ||
| severity: WARNING |
There was a problem hiding this comment.
Rule IDs in this repo typically use the mastg-android-... prefix (matching the filename), but this new rule uses android-custom-deeplink-intent-filter. Consider renaming the rule id to follow the established prefixing for consistency with other rules.
| ```bash | ||
| $ python3 deeplink_analyser.py -op list-all -apk example.apk | ||
|
|
||
| org.owasp.mastestapp.MainActivity | ||
|
|
||
| vulnerable-app://deeplink | ||
| ``` |
There was a problem hiding this comment.
Shell command examples in fenced blocks should not include a prompt character. Remove the leading $ so the command is directly copy/pasteable.
| @@ -0,0 +1 @@ | |||
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ../MASTG-DEMO-0062/AndroidManifest_reversed.xml --text -o output.txt No newline at end of file | |||
There was a problem hiding this comment.
run.sh references ../MASTG-DEMO-0062/AndroidManifest_reversed.xml instead of the manifest shipped in this demo folder, which makes the demo non-self-contained and couples it to another demo's layout. Point the command at ./AndroidManifest_reversed.xml (or include the needed file locally) so the demo can run independently.
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ../MASTG-DEMO-0062/AndroidManifest_reversed.xml --text -o output.txt | |
| NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ./AndroidManifest_reversed.xml --text -o output.txt |
2 participants
closes #2980