Security Considerations

6.2

Always open a native browser or use SFSafariViewController

You should never open an embedded web view with the OAuth prompt, since it provides no way for the user to verify the origin of the web page they’re looking at. It would be trivial for an attacker to create a web page that looks just like the authorization web page and embed it in their own malicious app, giving them the ability to steal usernames and passwords.

PKCE

If the service you are using supports the PKCE extension (RFC 7636 https://tools.ietf.org/html/rfc7636), then you should take advantage of the additional security it provides. Often times, such as in the case with the Google OAuth APIs, the native SDKs provided by the service will handle this transparently so that you don’t have to worry about the details and you can benefit from the additional security without any additional work.

We cover the PKCE extension in PKCE.