[tgsovlerkhgsel]

AFAIK Google doesn't encourage it and made some efforts to block it: https://auth0.com/blog/google-blocks-oauth-requests-from-emb...

Hasn't been 100% effective unfortunately, and even if it was, it's really hard to make users understand that this flow is incredibly dangerous.

And while Google on Android can simply go through system libraries, Facebook doesn't have the option if the app is not installed. They have to open something that will allow the user to log in (usually a browser), which is something the app can fake (in the case of the browser, just fake the whole browser UI, fake address bar included).

[tgb]

I misunerstood the part I quoted, I thought it was about web pages asking you to log in via Google/Facebook. So the problem I was thinking of is more generally entering Google credentials into logins provided to us by a third party. The "don't use the link in your email to log into google, go to gmail.com instead" advice has been seriously degraded by this. It should always be that if you aren't already logged in, you have to go yourself to gmail/facebook/etc and log in there.

[GoblinSlayer]

It wasn't oauth, it was a normal facebook login. The application didn't fake anything, but simply extracted the session cookie after login.