I was wondering why Google did this. Still seems disturbing that the master token is something that once acquired is still useful even after hours of use. Even if they did plug the web auth hole via app-controlled browsers.
I'm surprised a limited time + per app + per user code isn't used, where limited time is enough to be useful for app purposes but not worth storing for long enough to be swept up in some data grab.
Time limited tokens don't lend a lot of security. Someone malicious can simply scrape your entire account in the 15 minutes or whatever the validity period is.
Scope limited is far better, and something android is bad at. I suspect they are highly constrained by the need to maintain compatibility all the way back to Android 1.0.
In my opinion, they should drop support for old android versions by default, and if you want the ability to sign into an old non-updated device, force you to go to a real browser and enable some option like "allow insecure devices".
I'm surprised a limited time + per app + per user code isn't used, where limited time is enough to be useful for app purposes but not worth storing for long enough to be swept up in some data grab.