Across the world, governments increasingly require citizens to install specific smartphone apps. Tax authorities push e-invoicing apps. Border agencies mandate health-declaration apps. Some countries require contact-tracing tools, digital ID wallets, or toll-payment apps before you can drive a highway or board a train. In 2022, researchers at the Citizen Lab and others documented multiple state-issued apps that requested far more permissions than their stated function needed, including one major sporting event's mandatory app that could read arbitrary files and disable device encryption flags.
Here is the uncomfortable part: "mandatory" does not mean "trustworthy." A government app is still software written by a contractor, often rushed, frequently outsourced, and rarely subjected to independent security review before it lands on millions of phones. You are still the device owner. You still have the right, and arguably the responsibility, to understand what that app does before it touches your contacts, location history, and camera.
This guide walks you through how to audit mandatory smartphone apps using tools you can run yourself, with no prior reverse-engineering experience. You will learn how to read an app's permission manifest, watch its live network traffic, check what trackers it bundles, and decide where to draw your own privacy line. None of this requires jailbreaking or breaking any law.
Key Takeaways
- Audit before you trust. A government mandate does not exempt an app from scrutiny. Read its permissions and watch its traffic.
- Permissions tell you intent; traffic tells you behavior. Always check both, because an app can request a permission it never uses, or abuse one quietly.
- Isolate the app using a separate user profile, a work profile, or ideally a dedicated cheap device so it cannot see your personal data.
- Use free static and dynamic tools like exodus-privacy, MobSF, mitmproxy, and Android's built-in permission manager. You do not need to be a security researcher.
- Document what you find so you can revoke permissions, file complaints, or justify your decisions later.
Why Auditing a Mandatory App Is Different From Vetting Any Other App
When you choose to install a game, you can simply uninstall it if the permissions look greedy. A mandated app removes that exit. You may need it to file taxes, cross a border, or keep a business license. That changes the goal of your audit.
You are not deciding whether to install. You are deciding how to contain the app so it does the one job the law requires while exposing the least possible data. The mindset is closer to running untrusted code in a sandbox than to shopping for software.
The same containment thinking applies to other risky software categories. We covered a parallel example in our guide on how to lock down AI agent browsers before extensions hijack them: when you cannot fully trust a tool, you wall it off rather than ban it.
What "auditing" actually means here
- Static analysis: inspecting the app package without running it (permissions, embedded trackers, declared servers).
- Dynamic analysis: running the app while watching what it actually does (network calls, file access, background activity).
- Containment: structuring your device so the app's reach is limited regardless of what it requests.
Step 1: Get the App Package Before You Install It
On Android, the installable package is an .apk (or split .aab-derived APKs). You want this file before the app runs on your real phone, so you can analyze it on a computer first.
- Find the official source. Note the exact developer name and package ID (something like
gov.example.taxapp). Mandated apps are often distributed on the Play Store and a government website. Compare the two. They should match byte-for-byte. - Pull the APK. If you already have it on a test phone, tools like
adb shell pm path <package>followed byadb pullextract it. Otherwise reputable APK mirrors can help, but always verify the signing certificate (more on that below). - Verify the signature. Run
apksigner verify --print-certs app.apk. Record the SHA-256 of the signing certificate. If the government later pushes an "update" signed by a different key, that is a red flag worth investigating.
This verify-the-source discipline mirrors what we recommend for web software in our piece on how to verify a WordPress plugin's update server before updating. Provenance matters everywhere.
A note on Windows tooling for the file-handling parts
If you are wrangling extracted app files, symlinking analysis folders, or organizing multiple APK versions on a Windows machine, a small utility like Windows Symlink Creator Pro keeps your workspace tidy without duplicating gigabytes of build artifacts. You can browse more options in the desktop utilities and Windows software categories.
Step 2: Read the Permissions Like a Skeptic
Every Android app declares its permissions in AndroidManifest.xml. You can read them without installing using aapt dump permissions app.apk or by uploading the APK to a tool like the open-source Mobile Security Framework (MobSF).
The question is never "does this app have a lot of permissions?" It is "does each permission map to a function I can name?"
Worked example: a tax e-invoicing app
Say you download a mandated invoicing app and find it requests 14 permissions. You list them and try to justify each:
INTERNET— needed, it submits invoices. ✅CAMERA— plausible, it scans QR codes on receipts. ✅READ_CONTACTS— why? Invoicing does not need your address book. ⚠️ACCESS_FINE_LOCATION— why? GPS is irrelevant to filing a digital invoice. ⚠️READ_SMS— claims it auto-reads OTP codes, but that exposes every message. ⚠️RECORD_AUDIO— no defensible reason for an invoicing tool. 🚩
Out of 14 permissions, you can justify 9. Five are questionable and one is alarming. That is your finding. It does not necessarily mean malice, often it is lazy reuse of a template, but it tells you exactly which permissions to deny after installation.
Step 3: Detect Trackers and Third-Party SDKs
Government apps frequently bundle commercial analytics and advertising SDKs that the agency may not even realize are phoning home. The free Exodus Privacy scanner reads an APK and lists embedded trackers and the permissions they correlate with.
Run your APK through it (or its self-hostable version) and note results. A real-world surprise pattern: a "simple" government health app shipping Google Firebase Analytics, a Facebook SDK, and a crash-reporting library from a third country, each with its own data-sharing terms.
Knowing which SDKs are baked in matters because you inherit their data flows. If you build or evaluate software yourself, the same vetting logic appears in our guide to vetting AI vibe-coding tools before trusting them with code and in how to verify AI-generated code before you ship it. Bundled dependencies are where surprises hide.
Step 4: Watch the Live Traffic (Dynamic Analysis)
Static analysis shows intent. Dynamic analysis shows behavior. The gold standard for a self-audit is intercepting the app's network traffic with mitmproxy on a device or emulator you control.
- Set up an emulator or spare phone. Use a Google Pixel emulator image or a cheap second device you do not use for personal data.
- Install mitmproxy on your computer and configure the device's Wi-Fi proxy to point at it (for example
192.168.1.10:8080). - Install the mitmproxy CA certificate as a user certificate so you can read HTTPS traffic. Note: many apps use certificate pinning and will refuse to connect, which is itself useful information about how locked down the app is.
- Open the app and use it normally. File a test invoice, register, log in. Watch every domain it contacts in the mitmproxy flow list.
- Look for unexpected destinations. A tax app talking to
api.tax.gov.exampleis expected. The same app callinggraph.facebook.comor an analytics endpoint in another jurisdiction is worth recording.
Reading the results
Make a simple table of every endpoint, what data left your device, and whether it was encrypted. If you see plaintext personal identifiers, location pings sent every 30 seconds, or contact lists uploaded on first launch, you now have concrete evidence rather than vague unease.
Static vs Dynamic vs Containment: Which Approach Catches What
No single technique is enough. Here is how the main approaches compare on the things that matter.
| Approach | Tools | Catches | Effort | Cost |
|---|---|---|---|---|
| Permission review | aapt, MobSF, OS settings | Stated intent, over-permissioning | Low | Free |
| Tracker scan | Exodus Privacy | Bundled analytics/ad SDKs | Low | Free |
| Traffic interception | mitmproxy, Burp | Real data flows, hidden servers | Medium | Free |
| Static code analysis | MobSF, jadx | Hardcoded keys, risky API calls | High | Free |
| Device containment | Work profile, spare device | Blast radius regardless of behavior | Medium | Low |
The practical answer for most people: do the two low-
Cover image: Omar #263 by The Urban Scot, licensed under BY 2.0 via Openverse.
