I've been wondering, there are so many apps out there prompting me to enter my user data for big services such das Google, Facebook, or Reddit in a webframe they are displaying within the app in order to retrieve an oAuth token to authenticate myself.
That is all well and good, but I fail to see how this is in any way secure: I have no way to validate the form I am filling in is actually getting transferred only to my oAuth provider. For all I know, the webview they present me could show their own server's replica of the login page.
Am I missing something very obvious or is there something horrendously broken with the way most mobile apps implement oAuth? Is there any way I can validate that my data doesn't go to the wrong people with a "login-flow" as that one?
