> Why can't you generate a token for your own website, and then "replay it" to another? Because the token embeds the "challenge" which is random numbers selected by the server. The server compares the challenge in the token with the one it generated, usually it will statelessly hash something about the client connection like a cookie. So you can't just substitute a token from one site for another.
Your fake iPhone could talk to a cooperating server which presents the same challenge to a real iPhone. In fact, a service could accept challenges, instruct a friendly iPhone to request `/?code=$foo`, then return the friendly's iPhone token to the original client.