What's clever here is that it hijacks a full, legitimate login (including asking for the second factor, using proper IP addresses et al) then gains the full access token.
Doesn't matter what security the user has added: if they are willing to type their credentials into a web view they lose their trust.
Doesn't matter what security the user has added: if they are willing to type their credentials into a web view they lose their trust.