For apps that need to be ultra-secure, keep sensitive information in RAM for the minimum time possible by setting it to null after use. This minimises the time over which any malware, memory dump via adb, physical (connected) extraction or electromagnetic techniques can sample the secure data.
Again, for apps that need to be ultra-secure, avoid the use of Java’s String class to hold sensitive information. Instead use char arrays or byte arrays. The reason for this is because Strings are immutable which means that there’s no way to overwrite or clear the underlying content after use. Strings can remain in memory that can be examined by attackers. Following on from this, don’t use EditText which uses String in the underlying implementation. Instead, use a View based on android.graphics.Canvas with a key listener accepting chars and assembling into char[].
