The OAuth PKCE flow isn’t that secure... a rogue app could just initiate an /oauth/authorize request pretending to be a valid app, then intercept the response on the app:// redirect. It will know the code challenge since it initiated the flow itself.
1
Replying to @FiaccoNick @leahculver
Yes, you're right, but that doesn't mean PKCE is not secure. This is just an inherent limitation of public clients that can't use a client secret. PKCE does solve several attacks, but it doesn't provide authentication of the app itself.

Feb 11, 2021 · 5:58 PM UTC

1
2
Replying to @aaronpk @leahculver
Is there a good way to verify the identity of a public app requesting an auth code?
1
No not really, that's why the redirect URL is so important to get right. It's not a great situation, but it would require cooperation from the OS in order to have a more secure flow. That said, it's also a relatively unlikely attack vector so people mostly don't worry about it.
1