I've created two web apps using the following process:
1. create shapefiles of content
2. place the .shp, .shx, .dbf, and .prj components for each individual shapefile into a .zip
3. add the content to a sub folder in My Content on our organization's AGOL4Org space, this creates a feature service for the individual shapefile
4. create a web map from a group of feature services as created above
5. share the web map and create a web app from it using a configurable template
6. share the web app
So the web map and web app are shared out to Everyone.
One web app can be seen by anybody with a web browser by simply sharing the resource url.
The other web app, when the resource url is entered into a browser, asks the user to sign in with an ArcGIS Online for Organizations account. AFIK, no different security was applied to the sub-folders or feature services. Everything was processed into services in the ArcGIS Online cloud and reside there.
How can I determine what is causing these differences?