We are witnessing a transition in the development of mobile operating systems from native custom architectures to web-based cross-platforms. There are several security implications of bringing the web code to smart-phones. In this paper, we present a large-scale study that is centered on mobile hybrid apps configurations and permissions usage patterns. We study the platform configuration model and its’ evolution. We find that while the platform is adding more security features, there is a demonstrable misconfiguration trend. The result of analyzing a set of 2111 hybrid apps uncovered several alarming observations. We have found that 80% of the apps are vulnerable to injection attacks because of an absence or a poor usage of the security model provided by the platform. We also detect a trend of keeping risky default configuration settings which results in having over-privileged apps that may expose device APIs to malicious code. On the system side, we realize that most of the apps have access to the platform’s INTERNET and GEOLOCATION permissions. Google messaging is also recognized as the most widely used third-party service. In addition, we detect suspicious set of domains including spying, payment, Adware, and military that are white-listed. This study has the following contributions: (1) Systematizing our knowledge about mobile hybrid apps configuration model. (2) Providing an evidence of configuration misuse and developers tendency to use defaults. (3) Discussing possible reasons of misconfiguration practices and suggesting recommendations that address both the platform and the developer.