I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).
Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.
I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.
On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?
My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain. If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.