I just had to sign in into my google account in an iPhone app (ingress). The familiar google sign in page appeared in what is known as a "web view", that is a browser that is embedded into the application. The problem I am seeing here is that I don't see the URL that is being loaded into the web view. It could be a page on a completely different domain that just looks like the google sign in page. Even if it did show a URL, I couldn't be sure that it actually is what it claims to be, because you could just make it look like it loads google.com even if it didn't.<p>Should the sign in page not be loaded in the actual system browser, which I do trust and where I can see the URL and the certificate, and then somehow redirect back to the app?<p>The only way I can think of is by installing MITMProxy on my computer and watch the traffic as I sign in to confirm that my password is really only transmitted to google.<p>Is there a better practice than the sign-in via web view for (iPhone) apps?