This suggestion comes up a lot, and yet isn't practical. I can read and write code, like many, but haven't the time or inclination (and arguably skill) to "verify it is secure". I can however watch what an app sends over the wire, which applies as much to proprietary as it does to open source software.
How do you go about verifying an arbitrary app is secure?
You can trust that there are a lot more developer eyes on open source software than proprietary software. You personally may not be able to verify every piece of software you have, but if you run free/open software, you know it's theoretically possible to discover vulnerabilities, and that you'll find out eventually if those security holes are found. In the worst case, you can hire a security professional to personally audit a program that is particularly important to you or your business.
I realise that I'm risking being contrary, but my question is serious.
How would I know that an app has had lots of developer eyes on it or not? It's crazy difficult to uncover the latest known security posture of open source software.
Finding out eventually is the exact same risk I take when I use proprietary software. It requires my trust. And it's theoretically just as possible to discover vulnerabilities in closed-source software (Windows, for example).
You really trust a custom compiled version of Android from "1337haxor2" which has auto-update capabilities built in?
The easier way would be to monitor network traffic. If random encrypted information is uploaded, then block it, whether or not you have an "open source" rom.
Better yet, just get a Nexus device without the carrier apps pre-installed. Stock Android does not have a "upload all data to the NSA" feature built in, it would be easily discovered and would be the biggest news story of the decade.
Unless you are the NSA, then I wouldn't advise using a custom version of Android, you'd likely be much less secure than with a stock (and up to date) version.
How do you go about verifying an arbitrary app is secure?