Securing WebViews with Chrome custom tabs

I really wish the idea that apps need to open websites in-app would go away. Like it looks neat when you&#x27;re demoing it for your coworkers but it just increases the number of taps since to do anything useful I need to open in in Chrome&#x2F;Safari anyway.<p>If the in-app browser was just a window into actual Chrome&#x2F;Safai (i.e. it&#x27;s a real tab when you open Chrome&#x2F;Safari and has your logins bookmarks, etc.) and you could &quot;pull&quot; the window into the foreground as a slick transition to the browser app then it would be fine, but as it&#x27;s implemented it&#x27;s mostly just annoying for everything but oauth flows.

&gt;[...] This opens the door for other apps to run malicious code, such as registering callbacks that try to intercept usernames and passwords. Additionally, a malicious app could open another web page that mimics the Link flow in a phishing attempt.<p>I&#x27;m not sure what type of threat model they have, but I don&#x27;t see how this increases security at all. If the app is malicious, there&#x27;s nothing preventing them from faking the CCT interface, or omitting it all together. It&#x27;s not like users would be suspicious if they were asked for credentials outside of a chrome custom tab.<p>Ironically, Plaid is doing the same thing. Their login screen[1] is designed to look like you&#x27;re logging into your bank, even though your passwords are sent in plain text to plaid.<p>[1] <a href="https:&#x2F;&#x2F;plaid.com&#x2F;demo&#x2F;?countryCode=US&amp;language=en&amp;product=transactions" rel="nofollow">https:&#x2F;&#x2F;plaid.com&#x2F;demo&#x2F;?countryCode=US&amp;language=en&amp;product=t...</a>

What happens if you don&#x27;t have Chrome installed on your device?