Safari and other mobile applications use WebKit. It is a web browser engine. It provides browser capabilities to the applications wherever it is implemented. Most Hybrid Mobile Applications use WebKit for the applications feature to be able to invoke browser components and make it a seamless integration for application users.
WebKit-based attacks for mobile applications are similar to the web applications browser-based attacks. The cross-site scripting (XSS) or HTML injection are the most common attacks on the WebKit components of mobile applications.
Cross-site scripting takes advantage of the application feature of reflecting user inputs back to the user without sanitizing the outputs. So, if the application reflects a malicious JavaScript posted by the attacker to the user, then the script is executed at the user's browser. These scripts could steal a user session token or could download and install malwares and backdoors.
The HTML injection slightly...