[mooreds]

The best practice for native apps is to use PKCE now, I believe.

See section 4.1.1 of the OAuth 2.1.1 spec ( https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00 ) which was, I believe also included in the security best practices.

[will4274]

While that's true, it's irrelevant to my comment. PKCE is layered on top of the either of the two strategies I described and solves a totally different problem (untrustworthy user agents).