I've been using the Facebook SDK/API for iPhone and Android, and think the Facebook authentication model for apps on mobile phones has a serious problem: Users cannot trust the in-app browser dialogs. An app developer can easily modify the browser dialog to capture the passwords.

This doesn't only apply to Facebook auth, but any login mechanism which requires users to enter login tokens inside an app, even if it opens a "web browser". I would be very interested in hearing your thoughts on this!