If you affect the Computing time with dummy operations you dont need a long passphrase..
It is relatively easy to set up a cluster thousands of times faster than a phone, this would crack the key about as fast as the phone can decrypt it.
I covered this in my previous post.
Generally.. you could just use a 4 digit code.. and on 3 wrong enters.. the wallets blocks or deletes the priv keys..
With this option available.. you should make sure that the user of the wallet writes down a "passphrase" to recover the Priv keys
(or write down the priv keys itself).
Most smartphones do not have a secure cryptoprocessor on board, a hacker can take the phone apart, remove the memory storage, and extract the encrypted keys.
After this, the hacker would not have any trouble cracking your key-stretching scheme.
This may require some effort, but it it well worth the stash of bitcoin.