Hi goldeneye,
Sources are coming, i am polishing the android light client . Note that this is a DAPP light client, not a LISK light client. Hence the security issue.
1. Yes, for security, so far the passphrase is stored inside the client and then each time a transaction is made, it is sent to the API. This is a known limitation of LISK so far and we are already working to come up with a solution with the LISK team. This is not trivial.
2. Yes, but as a start this is enough.