Though not a direct solution to showing the user the URL and SSL status, one way to prove authenticity would be if OAuth providers allowed users to set a secret word or phrase that is shown to them once they've provided their username but before they enter a password - as in some 3DSecure implementations - so the user knows to look for that before completing signin. Although again in an app that would be fairly easy to intercept without the user's knowledge.

Otherwise, the only thing I can think of is a native OAuth implementation on each platform (like the Windows User Account Control overlay pop-up) that apps can/must call as a trusted intermediary rather than handling the process directly.