I brought this up with the oauth working group and got snarled at by lots of people including Eran Hammer. It's nice to see
that other people are noticing the same problems. When you have a native app, you can show the user anything to get their
confidence, and with some work get their credentials, including apps with webview's. OAuth's security model was not designed
with native apps in mind, it was designed for ~trustable web browsers. This isn't surprising because OAuth was designed before
the current fad for native apps happened around 2006-2007 when the world was all browsers all the time.