Nowadays, there are more and more hybrid apps appearing in the app market which contain native code and Web pages. In order to enhance the ability of JavaScript in the WebView, these apps expose methods that can be invoked by JavaScript. However, when we study the communication from JavaScript to native code, we find a security issue that if the exposed methods finally invoke sensitive methods, such as SEND SMS, getLastKnownLocation, and these exposed methods are called via unsafe connections, malicious code can be injected to perform sensitive operations without the user's consent. To automatically detect this vulnerability, we provide a hybrid system that contains both static and dynamic analysis modules. The static analysis discerns potential vulnerable apps and gathers information to guide the dynamic analysis while the dynamic analysis executes the app to verify whether the app is vulnerable or not. We use this system to test 400 most popular apps in the Google Play market and find that 43 apps are vulnerable.