You should be able to check whether it actually launches safari, e.g. by pressing the home button and the actually launching safari, should look the same as the screen you just left.
On Linux, even if the Twitter app on your desktop launches a browser, it can still do a very effective job of sniffing your password simply by asking the desktop environment for the relevant events. It only works in the browser because everything is sandboxed, with a particular focus on sandboxed-by-domain. See http://theinvisiblethings.blogspot.com/2011/04/linux-securit... , for instance. There are ways to do that on all the desktop environments, I presume, with varying degrees of officialness and popping up administrator password dialogs.