Security threats posed by free apps with advertising have become a significant concern recently. An app developer must put at least one Software Development Kit (SDK), called ad library (ad lib), into his or her host program and compile the host program and ad-lib(s) into an executable Android Package (APK) file. Therefore, the ad-lib(s) become part of the APK and have all permissions granted to the app. This study proposes a method of evaluating apps' security focusing on two types of threats: (1) permission misuse of ad-libs in an app and (2) the risk of linked URLs when an app is executing. For the first concern, this study observes the SecurityException and checkPermission mechanisms used by ad-libs to attempt permission misuse. For the second concern, this study conducts both static and dynamic analyses to identify all possible linked URLs of an app and evaluates their risks through third-party utilities. The two issues addressed in this paper are beyond the reach of traditional anti-virus software, which normally inspects the codes and is normally unable to determine threats posed by embedded ad-lib(s) and linked URLs, because embedded ad-lib(s) may steal personal information using the host app's permissions, and the danger of linked URLs does not lie in the app itself. The proposed system thus complements traditional anti-virus software to ensure free-app users' security and privacy.