Hybrid mobile apps are becoming increasingly popular for building cross-platform mobile applications, where the core business code of apps is written using web technologies, such as HTML, JavaScript (JS), and Cascading Style Sheets (CSS). This technology allows mobile apps to be write-once-run-anywhere, saving substantial time and resources required to develop different apps for different mobile platforms, such as Android and iOS. Hybrid mobile apps are also a lucrative solution for IoT vendors, to assist them in the time-constrained race for market share and provide a quick solution to design cross-platform companion IoT mobile apps to accompany the IoT devices.However, the fusion of web technologies with the mobile platform also exposes mobile apps to web attacks. Moreover, the inclusion of JavaScript, a powerful and complex scripting language, is dangerous since there is no mechanism to determine the origin (party) of the code to control access. Existing solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Furthermore, most solutions require modification of the base platform.The main objective of this dissertation is to provide a comprehensive security solution for hybrid mobile apps. This is achieved through three thrusts--- - building a flexible, fine-grained, principal-based policy enforcement framework for hybrid mobile apps, capable of protecting against a large class of attacks, retroactively, and without modifying underlying operating systems or development frameworks; - building an automated security assessment framework for hybrid smart home companion apps that can be used by developers or third parties to assess hybrid apps for preexisting security issues; and - finally, building a web-based framework that can be used to teach advanced cybersecurity skills including concepts of hybrid app security.