I went through the updated app (v1.0.1) and the oAuth flow clearly indicated what I was granting access to. I'd be very curious if this was a fix by Google, a Google bug where requesting "full access" is missing that step, or Niantic changed the way they do oAuth (still a Google issue, the method lacking confirmation shouldn't exist).
It was some JavaScript injected into the WebView that automatically clicked confirm and sent a message to reposition the WebView offscreen as soon as that happens.
If they did that, they don't deserve a second chance at trust. That is outright malicious, and definitely a dark pattern. Their app deserves to be deleted and not used again.
Oauth2 has some serious holes - I have no idea if the Google login page is served by Google, or is simply a copy of their landing page designed to phish for credentials. This needs to be fixed as Oauth is becoming increasingly prevalent. We need some type of web of trust like SSL EV that gives me attestation the Oauth login page is being served by the company that I think it is.
This is why providers like FitBit require that you use APIs such as Chrome Custom Tabs or SafariViewController, where the OS presents an out-of-process limited web view that the host app doesn't have access to.
