On iOS this is traditionally done with UIWebView or WKWebView(like the former but better performance, runs as separate process) and you are right about the problems it creates.
However, the developers do have options to incorporate SFSafariViewController since iOS9.0 and that gives the user full Safari experience with Autofill and everything and without giving access to its contents to the app developer.
It actually makes a lot of sense from users perspective when the context is that the app temporary needs to take you to a webpage for something with the intention of you going back to the app. With SFSafariViewController this is done securely and with good user experience but unfortunately most apps business model revolves around tracking everything you do and as a result, most developers would use UIWebView/WKWebView instead of SFSafariViewController just to be able to track you.
The UIWebView/WKWebView has legitimate uses like letting you sign in from a web interface and transfer the session into the app but I kind of feel like we would be better off to depreciate it in favour of using alternative methods to do the web/app connection and improve privacy significantly.
Personally, I would never do anything sensitive from within a browser that is in an app. It looks like very obvious attack vector to me.
However, the developers do have options to incorporate SFSafariViewController since iOS9.0 and that gives the user full Safari experience with Autofill and everything and without giving access to its contents to the app developer.
It actually makes a lot of sense from users perspective when the context is that the app temporary needs to take you to a webpage for something with the intention of you going back to the app. With SFSafariViewController this is done securely and with good user experience but unfortunately most apps business model revolves around tracking everything you do and as a result, most developers would use UIWebView/WKWebView instead of SFSafariViewController just to be able to track you.
The UIWebView/WKWebView has legitimate uses like letting you sign in from a web interface and transfer the session into the app but I kind of feel like we would be better off to depreciate it in favour of using alternative methods to do the web/app connection and improve privacy significantly.
Personally, I would never do anything sensitive from within a browser that is in an app. It looks like very obvious attack vector to me.