I’m just passing this along, but I think folks who are doing work in the mobile space and making use of tools like Cordova may find this useful: Code Injection Attacks on HTML5-based Mobile Apps. It is a bit long winded and repetitive, and also a bit out of date (it talks about PhoneGap and how it ships a set of core plugins, which hasn’t been true since 3.0). It also makes some pretty odd statements like, apparently, the same HTML, CSS, and JS works the same across different platforms. Yeah, I’d love to live in that world. But despite that, it does make a good point about XSS and hybrid applications. Read it – digest it – and think about it.
Also be sure to read the recently released Security Guide for Cordova.