How does application specific passwords with Googles two-factor auth work

Application specific passwords are extra passwords for your account. While you give the password a name, it doesn't explicitly tie that password to a specific application. That feature allows you to easily deactivate, by device or application, the password in question.

In some respect, they could be seen as a security vulnerability. That's why you should never write them down. An app-specific password could be used by an attacker to sign-in to your account. However, I don't think there's a way to fully hijack the account (change the main password with the app-specific one). So, there's only a limited benefit to an attacker if they compromise your account with an app-specific password.

App-specific passwords are going to protect your primary authentication information from being compromised. They're required when you turn on 2-factor authentication, because there are some apps that won't accept the 2nd factor token. The app-specific password is a temporary work around until other apps can add support for 2-factor authentication.

2-factor authentication requires more than just your password (in this case, your phone) in order to compromise your account. And, in that respect, the combo of 2-factor auth and app-specific passwords are doing a whole lot of good, keeping your account safe and away from any hijacking attempts.