Three weeks ago techcrunch published an article on how Path.com was fined for stealing their user’s contact list and saving it onto their servers. Path was made to pay such a huge fine just because it did not comply with COPPA. The also also elaborated on how the FTC introduced a new set of guidelines for mobile developers.
This is more common in apps created using the free (or custom) platforms, where stealing the users contact list and tracking user location is very common. Any app created that uses certain elements of HTML5, even when it is created as a native app is vulnerable.
HTML5 apps that runs within a mobile browser too is vulnerable for injection attacks, but the quantum of damage will be less. The attack will be restricted to accessing information like current location.