It lets you connect it to Coinbase (the way you would connect online app to Facebook).

When connecting, it asks you for permissions - buy Bitcoin, sell Bitcoin, view transaction history. It stores tokens encrypted in database, and this is all anyone could do with these tokens.

If the app does get compromised by a 3rd party, the only thing the attacker would get are tokens to buy and sell Bitcoins on someone else's account, but no way to get the Bitcoins out of the account.

Other than that, there's basic security measures like XSS or SQL injection protection mechanisms