Sounds like a no-win to me.
You NEED to be able to withdraw the address bar because of the iPhone's limited viewing size; otherwise, there's so little space as to be impractical (the iPad tags along because of the common OS).
So how do you PROVE a site is authentic in an environment where the OS has to hide itself out of necessity? And you can't rely on outside contact because people may not have access to it (or it costs them money each time, in the case of many SMS). And furthermore, how can you produce a security element that miscreants can't eventually replicate on their malware sites (as seen here)?
PS. And alternative browsers are no safe haven, either. Since Browser ID is a trivial thing to pick up, the malware can be tuned to whatever ID tag is presented and present whatever false facade, indicator icons, etc. are needed.