I'm curious about how modern mobile apps authenticate users without relying on the system browser. I know that PKCE (Proof Key for Code Exchange) is a recommended method that enhances security when using OAuth 2.0, as outlined in RFC 8252. However, I've noticed that many mobile apps don't seem to use the system browser for logging in or signing up, which feels like a disconnect between best practices and what developers implement. Are apps often bypassing PKCE? Are they creating their own authentication methods instead? As someone coming from a machine learning background, I'm finding this area a bit confusing and would appreciate some clarification.
5 Answers
It's not uncommon for many apps to skip strict security practices and develop their own authentication because it simplifies the user experience. Some actually do use PKCE with the system browser, but it's often so well concealed that users don't even notice the browser opening. Others completely disregard standard practices and hope no one checks their security—which can backfire.
PKCE is relevant only if the app is using OAuth. For example, some apps like Reddit use the device's browser to log in with Google.
You can also look into user password grants as a method of authentication.
Many mobile apps might not actually be using OAuth 2.0, so PKCE wouldn’t apply. Instead, they probably just send API requests to generate tokens and refresh them as needed.
Pretty much all modern OS have a built-in browser, so it’s rare to find exceptions. Most apps implement logging in through OAuth for third-party auth, or they can create their own first-party authentication systems with simple endpoints that take identifiers and passwords, often using JWTs. It seems like some apps might still use PKCE but hide the browser pop-up, while others roll their own methods, which can be risky.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads