“They”? That doesn’t make a lot of sense to me. Do you have a link to anything in the computer security/infosec press talking about attack vectors for app-based authentication? I know SMS attacks/hijacking as discussed above are a real-world thing but I’ve never heard of a major-vendor MS/Google/Duo Mobile/whatever authenticator app, distributed via the iOS App Store or Google Play Store, being an attack vector.