Furthermore, there's a couple of other problems with oauth: 1. If the web view is embedded, there are delegate callbacks available to the developer. This means it's trivial for the developer to intercept and examine the request; I.e. read the credentials; embedded web views essentially dont provide what they are attempting to do 2. Every oauth enabled app has a concept of their app key - this is why the provider can say "Application x wants your permission to log in" (and obviously, identify the application for security reasons). When your app is web based, you can secure you app key relatively easily (by encryption, local file permissions, etc.). If you're on mobile, it needs to be embedded in you app (I.e. every copy of your app). You can obfuscate it, but it is _very_ difficult to actually secure it. The first problem is one of user education (never gonna happen), whilst the latter requires operating system capabilities to do right. Incidentally, both iOS and android support URL handling mechanisms to launch apps, so natively jumping out to the browser for oauth does actually work. It is a terrible user experience though