Let us consider the layers of security an attacker has to go through in order to spend your funds from Coinomi:
1 - Physical Access to the phone.
2 - Access to the unlocked phone through the device's PIN/Fingerprint/Password lock. (Most devices will auto-lock after some seconds/minutes)
If the attacker succeeds in the above, he can indeed run your Coinomi app, and have view access to all your balances, transactions, and exchanges.
3 - To spend or exchange your funds, an attacker needs your Coinomi password.
4 - To export your private keys, he needs your Recovery Passphrase.
The real security is already placed where it matters: in the tampering of users' funds and extraction of users' private keys, and it's a double lock:
- You need your recovery passphrase or the existing password in order to change it at Settings > Change Password.
- You need your password to view your recovery passphrase at Settings > Show Recovery Phrase
PIN: a 4 digit pin is instantly bruteforced even by the most minimal machines today. Let's test this at https://howsecureismypassword.net/. Enter any 4 digit PIN. Now enter your Coinomi long alphanumeric password. The results are shown in the images, and are quite a long way apart. Your Coinomi password prevents any attacker circumventing the devices locks AND your hypothetical PIN, from spending and/or exchanging your funds.
2FA: If an attacker had physical access to your unlocked phone wouldn't he also have access to your Authenticator app, running on the same unlocked phone? Again, your Coinomi password prevents any such attacker from spending and/or exchanging your funds. Yes, someone can have different devices for Coinomi and an Authenticator app, or some other configuration, but Coinomi strives to be light, useful and secure, all in the same device.
PIN / password / biometric lock is available on the Android and iOS versions, but they are no substitute for a strong password. We want to make it clear that they prevent view access. The password is still used to encrypt your keys, protecting you from malware, and is required on each and every transaction.