Apple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController
Apple forcing developpers to use in-app browser instead of spawning Safari has been known as an extremely insecure practice for sometime. There many reasons that this was a bad practice both from security and usability point of view:
An app developers can snatch user’s password
No URL bar means user cannot have any visual cue for the right site
Training users to be phishable
Users are forced to input password everytime since the webview does not sync cookies etc. with Safari.
With the announcement of iOS 9, there seem to be an interesting feature introduced by Apple with this regard.
It is called SFSafariView Controller.
You can find some details here: http://www.hackingwithswift.com/ios9
From the OAuth point of view, having the user click “Done” is sub-optimal. It should automatically happen. Also, it is not clear at this moment to me how to pass the server generated variables back to the app. It remains to be seen.