When I speak with clients, there always seems to be be the impression, on their part, that things are either secure or not secure. Unfortunately, whether it’s desktops, laptops, servers or smartphones, the principle is the same: You will never have complete application security.
It will always be possible to fool users into installing things or doing things they shouldn’t. There will always be vulnerabilities that allow root and hence allow, for example, memory dumps of decrypted data. There will probably always be NSA backdoors and the possibility to eavesdrop on radio frequency (RF) noise. There will always be some users that root their devices making things considerably easier for attackers.
This doesn’t mean you should give up and not consider security at all. For all apps, simple safeguards, for example, keeping data in the Android sandbox, provide basic protection with negligible extra effort. At the other end of the scale there’s a class of apps, for example banking and payment, that needs to make it algorithmically time consuming (via encryption) or extremely technically difficult (via tamper protection) for attackers to read sensitive data. You will never have complete application security but you can have high security that, for all normal intents and purposes, will keep your sensitive data safe.