Both android and iOS use app "sandboxing" and code-signing which makes it more difficult to hack than popular desktop systems. iOS further requires that all code run on the device be code-signed by apple, and enables AES hardware encryption on all devices by default to protect your data in the even of physical theft.

breadwallet was the first mobile HD wallet using SPV, but the new version of andreas schlindbach's wallet based on bitcoinj that was just recently released has it now as well. bither and KnC wallet for iOS are using breadwallet code.

The upcoming version of breadwallet will use a combination of touch id and wallet pin. Touch id enables fast convenient access without the potential of revealing your pin to a shoulder surfer, however your fingerprints are all over the phone, so there will be a user configurable spending limit after which pin entry is required. This helps to mitigate both the shoulder surfing and fake finger attacks.