

Embedding browsers for 3rd party login – a security issue? - bozho

Many android apps (including Uber) allow facebook&#x2F;google authentication. To do that, they open an embedded browser, with no address bar, where they show the facebook&#x2F;google login page. You type your facebook&#x2F;google credentials and they get the token.<p>While I understand what happens - an OAuth flow - embedding a browser without any address bar screams &quot;phishing&quot; to me. How do I know this is indeed google&#x27;s login screen, and not Uber&#x27;s exact copy, which collects my password?<p>Are there alternative, equally user-friendly ways to achieve the same? Maybe just showing the address bar?
======
pixelcort
IIRC some oauth providers let you specify a custom URI as a callback. Then you
just load your user's native browser, and have a registered URI protocol
handler that will bring the user back into your app after authorization
completes.

