As smartphones store vast amounts of personal data, apps must access this data in compliance with privacy policies and regulations like GDPR. However, apps can sometimes collect and transmit user information without fully adhering to these policies. Additionally, third-party libraries integrated into apps can access user data without the developers’ full knowledge, increasing privacy risks. Vulnerabilities in app code further compromise user data and privacy, allowing malicious actors to steal sensitive information. Code analysis provides a robust solution to these challenges by thoroughly examining app functionalities, identifying vulnerabilities, and uncovering potential risks related to user information extraction. This Ph.D. thesis focuses on static code analysis techniques to address security and privacy issues in Android apps and their connected client systems. It introduces the HideDroid and MarvelHideDroid techniques to mitigate unauthorized exfiltration of user information by apps, and the SEBASTiAn and MITHRAS techniques to identify and exploit security vulnerabilities in both apps and the systems they communicate with. HideDroid is the first methodology to anonymize user information in requests sent to analytics services, safeguarding user identity while preserving data utility. It overcomes current solutions that merely block all network requests to analytics services, which deprives developers of valuable insights. MarvelHideDroid prevents app execution monitoring techniques, such as dynamic instrumentation and virtualization, from extracting complete user information during runtime by injecting anonymization logic directly into the app’s compiled code. SEBASTiAn statically identifies app vulnerabilities by analyzing only the app’s Control Flow Graph (CFG), overcoming current solutions that target outdated Android versions or non-existent vulnerabilities, and that struggle with hybrid apps. This thesis also presents the first study comparing vulnerabilities in original versus obfuscated apps, assessing how obfuscation impacts the effectiveness of Static Application Security Testing (SAST) tools. MITHRAS automates code analysis for both IoT device firmware and its companion app, using Deep Reinforcement Learning (Deep RL) to maliciously modify app requests and exploit Remote Code Execution (RCE) vulnerabilities in IoT devices, addressing gaps in existing solutions that focus solely on crashing the IoT device through its companion app.