diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/AndroidManifest_reversed.xml b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/AndroidManifest_reversed.xml
new file mode 100644
index 00000000000..b7eb49e712e
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/AndroidManifest_reversed.xml
@@ -0,0 +1,86 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MASTG-DEMO-0062.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MASTG-DEMO-0062.md
new file mode 100644
index 00000000000..bc931aeaaf6
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MASTG-DEMO-0062.md
@@ -0,0 +1,32 @@
+---
+platform: android
+title: Unvalidated URL from Deep Link Loaded in WebView with semgrep
+id: MASTG-DEMO-0062
+code: [kotlin]
+test: MASTG-TEST-0288
+status: new
+---
+
+### Sample
+
+The following is a sample code file that contains a function to handle a deep link, which insecurely loads a URL into a WebView.
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run @MASTG-TOOL-0110 rules against the sample code.
+
+{{ ../../../../rules/mastg-android-unvalidated-deeplink-data.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The output file shows usage of dangerous data flow from a source `getQueryParameter` to a sink `loadUrl`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the app loads a user-controllable URL from a deep link directly into a WebView without validation.
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest.kt
new file mode 100644
index 00000000000..fc6c35d7ce5
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest.kt
@@ -0,0 +1,32 @@
+package org.owasp.mastestapp
+
+import android.annotation.SuppressLint
+import android.content.Context
+import android.net.Uri
+import android.webkit.WebView
+import androidx.activity.ComponentActivity
+
+class MastgTest(private val context: Context) {
+
+ fun mastgTest(): String {
+ return """
+ This app is vulnerable to deep link attacks.
+
+ Test with:
+ adb shell am start -a android.intent.action.VIEW -d "vulnerable-app://deeplink?url=https://example.com"
+ """.trimIndent()
+ }
+
+ @SuppressLint("SetJavaScriptEnabled")
+ fun processDeepLinkAndLoad(uri: Uri?) {
+ if (uri == null) return
+
+ val url = uri.getQueryParameter("url")
+ if (url != null) {
+ val webView = WebView(context)
+ webView.settings.javaScriptEnabled = true
+ webView.loadUrl(url)
+ (context as ComponentActivity).setContentView(webView)
+ }
+ }
+}
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest_reversed.java b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest_reversed.java
new file mode 100644
index 00000000000..86c441acf7f
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/MastgTest_reversed.java
@@ -0,0 +1,37 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.net.Uri;
+import android.webkit.WebView;
+import androidx.activity.ComponentActivity;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000$\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\u0006\u001a\u00020\u0007J\u0012\u0010\b\u001a\u00020\t2\b\u0010\n\u001a\u0004\u0018\u00010\u000bH\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\f"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "", "(Landroid/content/Context;)V", "mastgTest", "", "processDeepLinkAndLoad", "", "uri", "Landroid/net/Uri;", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+ public static final int $stable = 8;
+ private final Context context;
+
+ public MastgTest(Context context) {
+ Intrinsics.checkNotNullParameter(context, "context");
+ this.context = context;
+ }
+
+ public final String mastgTest() {
+ return "This app is vulnerable to deep link attacks.\n\nTest with:\nadb shell am start -a android.intent.action.VIEW -d \"vulnerable-app://deeplink?url=https://example.com\"";
+ }
+
+ public final void processDeepLinkAndLoad(Uri uri) {
+ String url;
+ if (uri != null && (url = uri.getQueryParameter("url")) != null) {
+ WebView webView = new WebView(this.context);
+ webView.getSettings().setJavaScriptEnabled(true);
+ webView.loadUrl(url);
+ Context context = this.context;
+ Intrinsics.checkNotNull(context, "null cannot be cast to non-null type androidx.activity.ComponentActivity");
+ ((ComponentActivity) context).setContentView(webView);
+ }
+ }
+}
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/output.txt
new file mode 100644
index 00000000000..d9918f6ed7d
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/output.txt
@@ -0,0 +1,12 @@
+
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+ MastgTest_reversed.java
+ ❯❱ android-unvalidated-deeplink-data
+ [MASVS-PLATFORM] Unvalidated deep link query parameters are directly loaded into a WebView.
+
+ 31┆ webView.loadUrl(url);
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/run.sh
new file mode 100644
index 00000000000..2511a1f2114
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0062/run.sh
@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-unvalidated-deeplink-data.yml ./MastgTest_reversed.java > output.txt
\ No newline at end of file
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md
new file mode 100644
index 00000000000..0e50b056020
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md
@@ -0,0 +1,32 @@
+---
+platform: android
+title: Deep Link Intent Filter Missing android:autoVerify with semgrep
+id: MASTG-DEMO-0063
+code: [kotlin]
+test: MASTG-TEST-0289
+status: new
+---
+
+### Sample
+
+The following is a sample `AndroidManifest.xml` snippet that defines a deep link intent filter without the `android:autoVerify="true"` attribute.
+
+{{ ../MASTG-DEMO-0062/AndroidManifest_reversed.xml }}
+
+### Steps
+
+Let's run @MASTG-TOOL-0110 rules against the sample manifest.
+
+{{ ../../../../rules/mastg-android-autoverify-missing.yml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified that the deep link intent filter is missing the `android:autoVerify="true"` attribute.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because the app does not enforce Android App Links verification. Without `android:autoVerify="true"`, malicious apps may intercept the app's deep links, leading to phishing or hijacking attacks.
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/output.txt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/output.txt
new file mode 100644
index 00000000000..ee3f765523b
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/output.txt
@@ -0,0 +1,19 @@
+
+
+┌────────────────┐
+│ 1 Code Finding │
+└────────────────┘
+
+ AndroidManifest_reversed.xml
+ ❯❱ android-autoverify-missing
+ [MASVS-PLATFORM] Deep link intent filter missing android:autoVerify="true",enabling
+ malicious apps to hijack links.
+
+ 33┆
+ 34┆
+ 35┆
+ 36┆
+ 37┆
+ 40┆
\ No newline at end of file
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/run.sh b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/run.sh
new file mode 100644
index 00000000000..71760827ad8
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/run.sh
@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-autoverify-missing.yml ../MASTG-DEMO-0062/AndroidManifest_reversed.xml --text -o output.txt
\ No newline at end of file
diff --git a/rules/mastg-android-autoverify-missing.yml b/rules/mastg-android-autoverify-missing.yml
new file mode 100644
index 00000000000..5dfece51dcb
--- /dev/null
+++ b/rules/mastg-android-autoverify-missing.yml
@@ -0,0 +1,24 @@
+rules:
+- id: android-autoverify-missing
+ severity: WARNING
+ languages:
+ - xml
+ metadata:
+ summary: This rule looks for insecure deep link configurations.
+ message: '[MASVS-PLATFORM] Deep link intent filter missing android:autoVerify="true",enabling malicious apps to hijack links.'
+ patterns:
+ - pattern-inside: |
+
+ ...
+
+ - pattern: |
+
+
+
+
+
+
+ - pattern-not: |
+
+ ...
+
diff --git a/rules/mastg-android-unvalidated-deeplink-data.yml b/rules/mastg-android-unvalidated-deeplink-data.yml
new file mode 100644
index 00000000000..beb25f7d889
--- /dev/null
+++ b/rules/mastg-android-unvalidated-deeplink-data.yml
@@ -0,0 +1,15 @@
+rules:
+- id: android-unvalidated-deeplink-data
+ severity: WARNING
+ languages:
+ - java
+ metadata:
+ summary: This rule looks for insecure deep link configurations.
+ message: "[MASVS-PLATFORM] Unvalidated deep link query parameters are directly loaded into a WebView."
+ mode: taint
+ pattern-sources:
+ # Source: Data originating from the intent's URI parameter.
+ - pattern: $URI.getQueryParameter(...)
+ pattern-sinks:
+ # Sink: The unvalidated data is loaded into a WebView.
+ - pattern: $WEBVIEW.loadUrl(...)
diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md
new file mode 100644
index 00000000000..690f555d422
--- /dev/null
+++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0292.md
@@ -0,0 +1,24 @@
+---
+title: Unvalidated URL from Deep Link Loaded in WebView
+platform: android
+id: MASTG-TEST-0292
+type: [static]
+weakness: MASWE-0088
+profiles: [L1, L2]
+---
+
+### Overview
+
+This vulnerability arises when an app accepts a URL from an external source such as a deep link query parameter and loads it into a WebView without validation. An attacker can craft a malicious Intent containing a deep link with a harmful URL. When loaded, the WebView executes the embedded script in the app's context, resulting in a Cross-Site Scripting (XSS) vulnerability. This could allow theft of session cookies, injection of fake content, or unauthorized actions on behalf of the user.
+
+### Steps
+
+Run a static ancalysis tool such as @MASTG-TOOL-0110 on the codebase to detect data flows from deep link parameters (e.g., `getQueryParameter()`) to dangerous sinks (e.g., `WebView.loadUrl()`).
+
+### Observation
+
+The output file shows a data flow where data from an Intent is used in `WebView.loadUrl()` without prior sanitization or validation.
+
+### Evaluation
+
+The test fails due to the application loading an unvalidated URL from an untrusted Intent extra into a WebView. A malicious application can create an Intent with a deep link containing a URL pointing to a malicious website. When this URL is loaded by the vulnerable WebView, the user is redirected to the attacker's site.
diff --git a/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md
new file mode 100644
index 00000000000..51edd419cba
--- /dev/null
+++ b/tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0293.md
@@ -0,0 +1,24 @@
+---
+title: Deep Link Intent Filter Missing android:autoVerify
+platform: android
+id: MASTG-TEST-0293
+type: [static]
+weakness: MASWE-0058
+profiles: [L1, L2]
+---
+
+### Overview
+
+This vulnerability occurs when a deep link intent filter in `AndroidManifest.xml` lacks the `android:autoVerify="true"` attribute. Without verification, Android cannot confirm the app's ownership of the declared domain. A malicious app could register the same intent filter and intercept deep links, enabling phishing, credential theft, or hijacking of user actions.
+
+### Steps
+
+Run a static analysis tool such as @MASTG-TOOL-0110 on the `AndroidManifest.xml` to detect deep link intent filters that are missing the `android:autoVerify="true"` attribute.
+
+### Observation
+
+The output shows a `` that define deep links but do not include the `android:autoVerify="true"` attribute.
+
+### Evaluation
+
+The test fails as App Links verification is not enforced. Without `android:autoVerify="true"`, malicious apps can hijack deep links and redirect users to attacker-controlled content.
diff --git a/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md b/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
index c3baf7ad929..643ac4956cd 100644
--- a/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
+++ b/tests/android/MASVS-PLATFORM/MASTG-TEST-0028.md
@@ -9,6 +9,9 @@ masvs_v1_levels:
- L1
- L2
profiles: [L1, L2]
+status: deprecated
+covered_by: [MASTG-TEST-0292],[MASTG-TEST-0293]
+deprecation_note: New version available in MASTG V2
---
## Overview