If your app has a webview in it, on both iOS and Android, you have full access to run script inside that webview and take/set cookies for any domain. You can easily take the auth cookie.
Some Google auth cookies can only be used on the same tls session that created them[1]. That means the TLS session resumption information (which can be tied to hardware platform features like the TPM) is required to make use of a stolen auth cookie. Unfortunately while that approach has big security benefits, it's pretty anti-user-privacy.
