@riensen, I agree skepticism on security is always the best approach. I do think that so long as it is clear the password(key) typed(inputted) into the program is immediately used to produce a hash and is not left on device cache or memory in any way; than the rest of the programming accessing this hash will clearly not have the ability to transmit a future usable password(key) to any party. If the temporary hash was somehow transmitted to a malicious 3rd party you could simply log out of the app and into the Steemit website within 12 hours to undo any fraudulent activity. If you have a key file on your device and you are concerned the app might access that file at times not given by the open source code, one could simply move or delete(with a backup elsewhere) the file after its allotted time of use...