CSRF in Mobile Applications

Question

The Situation:

Alice uses an online banking website which stores a cookie of her credentials.

Before the cookie expires, Eve sends Alice a malic

Answer 1

Web browsers and apps do not share the same cookie store, so CSRF attacks in this manner shouldn't be possible. Apps can also use a web view, but each web view has its own cookie store [1], so a CSRF attack between two apps is also not possible.

From reading this [2], it does look like it is possible to store cookies on the file system which could be used as attack vector via another app, but not via a web browser.

[1] http://developer.appcelerator.com/question/123991/cookie-sharing-between-defaultnative-browser-and-webviews-in-an-app

[2] http://developer.android.com/reference/android/webkit/CookieManager.html