I just had to sign in into my google account in an iPhone app. It's a third party, that only uses the google account for authentication. The familiar google sign in page appeared in what is known as a "web view", that is a browser that is embedded into the application. The problem I am seeing here is that I don't see the URL that is being loaded into the web view. It could be a page on a completely different domain that just looks like the google sign in page. Even if it did show a URL, I couldn't be sure that it actually is what it claims to be, because you could just make it look like it loads google.com even if it didn't. Should the sign in page not be loaded in the actual system browser, which I do trust and where I can see the URL and the certificate, and then somehow redirect back to the app?
The only way I can think of is by installing MITMProxy on my computer and watch the traffic as I sign in to confirm that my password is really only transmitted to google. That's not very practical though.
Is there a better practice than the sign-in via web view for (iPhone) apps?