I finally find the way to solve this. Probably the edx-ios team stop updating since openedx ficus for now. So the environment settings are not updated and not ready for hawthrone.
So here comes the holygrail. Hawthrone pushed all the way it's oauth2 using django oauth toolkit (DOT), but the token that sent to client device is not DOT format. So this is where the problem arises.
To solve this, you need to comment out some of the code in /opt/bitnami/apps/edx/edx-platform/openedx/core/djangoapps/auth_exchange/views.py
find lines with something like this
if not self._is_grant_password(request.auth):
u'developer_message': u'Only support DOT type access token with grant type password. '
comment out these lines, save the file and restart apache. You will now able to see the HTML block from mobile apps.
hope this helps