OP here. iOS 9's SFSafariViewController, unlike UIWebView or WKWebView, runs out-of-process and cannot be data-scraped. Beacause of this, SFSafariViewController shares cookies with Mobile Safari. The use-case here is essentially loading a special URL on the website that will take any logged in session and return back an oAuth token that the native app can use.
The communication method in the demo is as if you were talking indirectly with Mobile Safari, using a custom url protocol (e.g. fooapp://), or by using the new (safe) Universal links (apps can register specific domains/urls that will redirect back to the app, using their Associated Domains entitlements).
