[void-star]

Not exactly. iOS 7+ introduced Cocoa<->Javascript bridging capabilities in the public APIs. Before that, similar iOS APIs had existed as "private" ones (so, very uncommonly used outside of apple's own apps).

iOS doesn't bridge Javascript to _Java_ which is why this particular attack wouldn't work. But the JS<->Cocoa stuff is still pretty young, so wait and see ;)

[robterrell]

The JS-Cocoa bridge isn't young at all, it's the same bridge that has been on Mac OS X for years. And it's opt-in -- on the native side you have to specify which classes can be bridged and what methods can be called. It's not the case that any bridged webview exposes all of Cocoa for your JS injection pleasure. You could write an app that specifically exposed some dangerous API, but you'd know you had done so.

[lstamour]

> You could write an app that specifically exposed some dangerous API, but you'd know you had done so.

Few people write insecure code on purpose. Of course the same is true of Safari or networking/parsing code. I still maintain certificate pinning is the answer here, to try and defend as much as possible against MITM in the first place.