Numerous mobile applications allow me to “Login with Google”.
From technical perspective, I assume this would usually follow those OAuth native app login integration guidelines: https://developers.google.com/identity/protocols/oauth2/native-app
From user perspective, on both iOS and Android an embedded windows of system browser (not a “WebView” though!) is opened. I am encouraged to enter my credentials in a familiar Google login form and Google’s URL is clearly visible.
Now I understand that the mobile application environment is able to control this embedded browser window, either to some extent or fully, both the memory, user interface layers, inject scripts etc. Maybe this assumption is partially/fully incorrect?
Question: can any mobile application that implements Login with Google actually “sniff” my credentials in any manner? Can they do that “on scale” or it would require e.g. physical access to the device (for some reason)?