Smartphones have become more and more popular recently, to develop an APP is not only focus on features but also considering efficiency of development and fluency etc. In the past, APP needs to be developed for different platforms. It is inefficient. Hybrid APP can solve the cross-platfom problems, APP based on HTML5 is low cost, high development efficiency, has and with characteristics of Native APP. As well known, Web is easily attacked by the Code Injection. APP based on HTML5 inherits the benefit of cross-platfom, but has the shortcoming of Code Injection. Therefore, this paper develops a system to evaluate the security of HTML5-based Mobile APP. The detection system is divided into two parts: first is to analyze whether the APP has any injection channel or not. Users can download APP and detect it by our system, and check up the leaks on web page; second is evaluating whether APP declares more permission in AndroidManifest and install more plugin in APP or not. Our system also shows the results on web page to let users know the dangers. We detected more vulnerabilities existing in HTML5-based Mobile APP, many APPs declare permission and install plugin, which doesn't used in APP.