Dynamic analysis. This one is a bit trickier, though still not tough to do. Use a network proxy tool such as Burp Suite or OWASP's Zap on your main computer (Windows, Mac or Linux). Turn on the proxy on your active Ethernet connection.
Next, configure your mobile device to point its network proxy to the IP number of the computer running the proxy testing tool. Now you'll be intercepting all of your mobile device's network traffic, and you can look inside it.
Some common mistakes to look for here are sending usernames, passwords, session tokens or hardware identifiers through a network without encrypting them. Believe it or not, this is not uncommon. Another mistake that many apps make is to trust self-signed SSL certificates (which both Burp Suite and Zap can automatically generate). By not properly verifying a server's SSL certificate, mobile apps open their users up to man-in-the-middle attacks. This too is sadly not uncommon in today's apps.
If you find any of these things, they should give you pause. Of course, not finding any of these mistakes is no guarantee of safety, but that doesn't mean it's not worth exploring the apps you want to use.
Oh, and if any of the apps you want to use do make any of these common mistakes, think about pointing the developers to OWASP's iGoat (for iOS developers) or OWASP's GoatDroid (for Android developers). Both are free learning tools to help expose developers to common problems and their solutions.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about security in Computerworld's Security Topic Center.