Google Android, Apple iOS and Windows Phone have different containers that apps use for accessing services, so developers let the framework creators handle the plumbing underneath the Web app.
Examples of frameworks include PhoneGap, RhoMobile and Appcelerator. The researchers studied 186 PhoneGap plugins and found 11 that were vulnerable to the code-injection attack.
While the researchers only used PhoneGap and Android for their work, the same problems were applicable across operating systems.
"Since apps are portable across platforms, so are their vulnerabilities," the researchers said. "Therefore, our attacks also work on other platforms."
Sign up for CIO Asia eNewsletters.