Outsourcing and malicious code

[doosh]

I just had this really simple app made by someone from overseas and I'm concerned about security. It there any way to tell if an app is doing something it's not supposed to? Also, is there any kind of service that would go though an app with a fine tooth comb for anything malicious?

 

[jdbower]

Check what permissions it needs vs. what it has. You can also use it over WiFi and then monitor network traffic at your router (there are some applications that can do this on your phone as well, OSMonitor can do it without being rooted). Make sure you let it run for standard periods and monitor connections, does it send stuff out at midnight? On Sundays? On the first of the month? Heck, it may only send stuff out on Christmas. But your best bet is to just read through the code or, even better, open source the code (assuming you have rights to it) so many people can read through it.

I don't know that there are any services that will do this for you, but then your outsourcing something that will tell you whether outsourcing stuff is safe...

 

[doosh]

Thanks. Wow, that OSmonitor shows a lot of info. Anything in particular I should be posting attention to as a n00b?

 

[jdbower]

Network connections. Try to find connections that don't look legitimate. It's a bit hard to do and much easier if you can connect over Wifi and log them in a firewall, but it's could help you track down an app sending data back home when it shouldn't.

Of course if the app is just a time bomb and six months down the line it bricks your phone you're pretty much out of luck. The only way to be sure is to look through the source, and then make sure that you compile from the source and not use any binaries they gave you.

 

[vinaykrypton]

Hiii ! Thank you for the information. from Outsourcing Android Mobile Application Development


Team, KryptonSoft, India