Jerry,
Feedback I received from our internal teams:
Mobile apps can leverage browser session cookies / token by using Safari View Controller (SFViewController) in iOS or Chrome Tabs in Android instead of a normal WebView.
The flow doesn’t change much and Safari and Chrome will reuse existing and valid cookies / token to perform SSO.
More info here : https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03
4. Overview
At the time of writing, many native apps are still using web-views, a type of embedded user-agent, for OAuth. That approach has multiple drawbacks, including the client app being able to eavesdrop user credentials, and is a suboptimal user experience as the authentication session can't be shared, and users need to sign-in to each app separately. OAuth flows between a native app and the system browser (or another external user-agent) are more secure, and take advantage of the shared authentication state to enable single sign-on. Inter-process communication, such as OAuth flows between a native app and the system browser can be achieved through URI-based communication. As this is exactly how OAuth works for web-based OAuth flows between RP and IDP websites, OAuth can be used for native app auth with very little modification.
and here: https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
Or here: https://developer.pingidentity.com/en/resources/napps-native-app-sso.html
Notice: Currently our Mobile SDKs are still using Webview and will not be able to leverage this feature. We will be adding this solution in later releases.
Sincerely,
Stephen Hughes
Director, CA Support