[trotsky]

Once you've downloaded and installed a native application and plan to grant it access to your google account you've decided you trust the application. If you install a malicious app and give it credentials it can fuck you about 50 different ways, even if there is a url bar indicating you're on a google.com server.

Any app that takes a ASP would otherwise be storing your main account password. Two step is still improving your security posture here - your main credential can't be used without the temporal pin so the ASP is actually much more valuable.

If you're still concerned about a native popup, just don't enter your correct password the first time. If it fails you're probably pretty safe - Phishing style credential captures usually won't pass it through and risk server side anomaly detection.