Indeed, this is the elephant in the Oauth room (at least when it comes to mobile). It's not just limited to apps, either, because in many mobile browsers (notably ios) its not possible to verify the authenticity of the certificate used to secure the https session. On desktop browsers, you can click on the lock icon and see some indication that, yes, this is actually my bank I am talking to. Not so on mobile browsers. And as you rightly point out, when this session is happening in a Web view in an App, all bets are off. The page could be from anywhere and there's no way for the user to know if it's secure or not, let alone validate the certificate. I think we need a standard "chrome" for these chromeless web views that can reliably display security information, including allowing the user to drill down to view information on the certificate. Is this something being discussed in the w3c coremob community group? http://www.w3.org/community/coremob/ If not, it should be. Paging @jamespearce.