Found a juicy hack that works around the webview disabling WebSQL for file: URLs.
For our Chrome Apps plugins, we serve apps from chrome-extension:// URLs instead of file:// URLs. This is possible via shouldInterceptRequest(), where we just map the requests to the files. So... I had the idea to test the WebSQL mobile-spec tests under this scheme (while disabling Android's custom WebSQL work-around), and it seemed to work fine. I think that this means that we could change Cordova app urls to be cordova:// (for ICS+), and could then delete the storage plugin. What do you think?