Automated reverse-engineering and auditing of mobile apps

Automated reverse-engineering and auditing of mobile apps

Privacy intrusive apps has been in the news lately and it’s clear that a lot of people don’t know what the apps on their phone actually do. The goal of this Hackathon is to create an embryo for a service that create a privacy score for apps based on reverse-engineering and static code analysis to check for specific API-calls and (tracking) libraries.

The Hackathon will be inspired by the design sprint where the idea, design and prototype(s) will be explored and developed together and in smaller teams.


The overall question we want to answer is “What can we do to expose the privacy intrusion of individual mobile apps and help people make conscious decisions if an app is worth installing” and in the long run to raise the awareness and influence app developers to make apps that respects user privacy.

Normally a design sprint is 5 days, since we want to do it in 2.5h we’ll have to cut a lot of corners.


The agenda will be something like this:

  • Quick intro to the goal
  • Interview áka “Ask the expert” where we sit down in a group and narrow down the solution and identify possible obstacles
  • Map - Identify actors and actor goals
  • Here we have to split the group into UI and Tech
UI Tech
- Sketch - We sketch different “concepts” as 1 big + crazy eights
- Decide on one concept and create a storyboard of all screens and actions
- Prototype (on paper or a mock/real UI)
- Design/discuss the different technical obstacles and solutions
- Sync interface with UI team
- Prototype/PoC
  • Demo
  • Discuss next steps


To join this Hackathon you should have relevant experience in any of the following fields:

  • Android/iOS reverse-engineering
  • Static code analysis or similar
  • UX-/UI-design and/or frontend development
  • Backend development
  • How to isolate somewhat dangerous server side code (think running hackish tools with user-input binary blobs and protect against things like zipbombs, file hijacking and command injection)


The goal is to have prototypes of the UX and a rudimentary privacy score algorithm using reverse engineering and static analysis. All work will be published open source and hopefully people will continue to work on the project to get a working service up and running.


Magnus has spent the last 25 years building software for the Internet and has a strong interest in privacy, security and all things connected. He has been developing kernel drivers, web apps and everything in between including his own TCP/IP implementation, a complete VPN-server/client with MITM-credential injection and a NAT-traversing P2P connection library used by millions of clients. He is one of the founders and main organizers of 0xFF.


17.30-18.00 Pre-event mingle
18.00-18.15 Introduction to the objective
18.15-20.30 Mini design sprint
20.30-21.00 Demo and next steps

Code of Conduct

Please read our Code of Conduct before attending the event.

When and where

When: May 16th, 2019, 17.30 (door closes at 18.00)

Where: Regeringsg. 30, Stockholm. Follow the 0xFF-signs, 4th floor, “Convendum”. OpenStreetMap


The event is free of charge but the number of seats are limited.

The registration is now closed.