The iPhone app probably communicates to some servers over an API of some kind - there's no reason someone malicious couldn't pretend to be an iphone and communicate over the same API
Actually, now that is think about it, Microsoft apps could only require a captcha if the username trying to log in doesn’t match the user’s previous iCloud user token.
I’m thinking about how Overcast uses a token linked to the user’s iCloud account and doesn’t require a username and password if you only use iOS devices. You can optionally add a username and password to access the web client.
