I fail to see how the app vendor comes into play here. There should be no "whitelisting", but the user as the active party just uses some sort of tool (may it be online or a native app) to authenticate (e.g. via OAuth) and that's what establishes trust on the tool.

Of course security is good, but this is just hindering third party access.