This is more of a platform capability question. Here is a quick answer on iOS. There are two ways to display web content in iOS:
-
UIWebView or WKWebView: you can share cookie between the native app and the web container, e.g., through NSHTTPCookieStorage. So you can pass device_secret from native app to the web container, and launch a javascript in the web container to read the device_secret cookie and exchange it for tokens.
-
SFSafariViewController or ASWebAuthenticationSession: these are designed as isolated embedded browsers, which do not share anything with the native app, so you cannot share device_secret through cookies. There might be other ways to pass device_secret that I am not aware of yet.