To Be Fair
Have you looked at some of these. This one from Keeper requires you have physical access to the phone and email. This is not some hack the webcam type of issue. Below is the just the first half of the actual report for one of the keeper issues. And I am sure there are others beyond these, but you will never get 100 percent bug free, you just want to make your app harder to break then the attacker wants to spend.
If the user is logged out, the master password has to be entered to access the passwords in the app. An adversary with local access to the device can now attempt to reset the master password. For this attack scenario it is also assumed that, by having local access to the device the adversary has also access to the mail account which is connected to the keeper account.
By entering the password incorrectly once the adversary can select “Forgot Password” after which a verification code has to be entered.
In this state the Keeper app with minSdkVersion=15, the adversary can launch the activity com.callpod.android_apps.keeper.DeepLinkActivity by using the shell based Activitymanager am