Dynamic analysis. This one is a bit trickier, though still not tough to do. Use a network proxy tool such as or OWASP's on your main computer (Windows, Mac or ). Turn on the proxy on your active Ethernet connection.

Next, configure your mobile device to point its network proxy to the IP number of the computer running the proxy testing tool. Now you'll be intercepting all of your mobile device's network traffic, and you can look inside it.

Some common mistakes to look for here are sending usernames, passwords, session tokens or hardware identifiers through a network without encrypting them. Believe it or not, this is not uncommon. Another mistake that many apps make is to trust self-signed SSL certificates (which both Burp Suite and Zap can automatically generate). By not properly verifying a server's SSL certificate, mobile apps open their users up to man-in-the-middle attacks. This too is sadly not uncommon in today's apps.

If you find any of these things, they should give you pause. Of course, not finding any of these mistakes is no guarantee of safety, but that doesn't mean it's not worth exploring the apps you want to use.

Oh, and if any of the apps you want to use do make any of these common mistakes, think about pointing the developers to OWASP's iGoat (for iOS developers) or OWASP's GoatDroid (for Android developers). Both are free learning tools to help expose developers to common problems and their solutions.