From what others have posted here, any native app that loads the oauth flow in a web view control or whatever it's called, has full control over it, and so can do anything it wants.