For OAuth 2.0 and OpenID Connect the following security best practices are recommended:
For mobile apps, the user-agent should be the system browser as recommended by rfc 8252. It should not be an embedded browser or the mobile app itself.
For public clients and mobile apps Proof Key for Code Exchange (PKCE) as specified in rfc 7636 should be used.
Lifetimes of authorization codes should be very short (a few seconds). Lifetimes of access tokens should be short (less than an hour). Lifetimes of refresh tokens strongly depend on the use case.
Use token revocation and token introspection to ensure authorization server side control and validity check of tokens.
A comprehensice discussion of security considerations is presented in rfc 6819.