[throw14082020]

This isn't even a vulnerability. Mobile applications should be using the system browser, not a WebView. This blog post is proud of abusing the users trust. I can also make an application which opens an OAuth page to a fake-google.com which looks exactly like Google. I guess you can still trick Grannies with his app.

Finally the author admits... > Nothing I did would technically be considered an ‘exploit’

and of course, admits he lied about the title and multiple sentences in his blog... > As many of you may have suspected, this post is not entirely truthful.

Poor form.

[ubercow13]

This is a poor rebuttal.

>Mobile applications should be using the system browser, not a WebView

Maybe honest ones, however there is no reason a dishonest app that is trying to steal your Google account should stick to best practices.

>I can also make an application which opens an OAuth page to a fake-google.com which looks exactly like Google

You have ignored the part about bypassing Google's IP and location based fraud detection. Your idea wouldn't work.

[the_gipsy]

What do you suggest? Lock down allowed webview like iOS, killing actual browsers?