The meat of this story is that, instead of showing the Google oauth flow which would say “sign in to continue to <app>” with the list of permissions shown to the user, he embedded a web view that is actually a URL for setting up a new android device. This is exactly the reason Google is doing things like restricting embedded browser sign-ins[0], which HN was particularly critical about[1].