Hive account@steemapp: regarding security, as raised by Hive account@cryptos, are you asking for the master password that controls the account or only the posting key? Mobile phones aren't the safest platform around and there are plenty of apps that contain malware. For security reasons, it would be better if Steemy was working exclusively with the posting key / password and active key / password of users so that no matter what, it wouldn't be able to hijack Steem accounts even if it tried to. That's the best way to stay clear from most of the liability that comes with running a crypto-currency app for mobile phone. Of course, there is the problem of how understanding users are about the difference between master password / key and more specific access keys, but there is a way to make that pretty transparent for users. See below.

Hive account@dantheman: it would be good to have in the protocol something like "access requests" that would allow anyone to ask for a specific public key to be added as authenticating key of another users account. These requests would just sit there waiting to be approved or denied by a client that has control of the target user account. Typically all that the target account client will have to do is read the requests, display a pop-up "do you want this key to have <posting/trading> access to your account (yes/no)" and perform a update_accout_auth_key call to add the key to authorized keys for the specific type of permission. For security / foolproof-ness, this third party request mechanism shouldn't apply to "owner" permission. The point of doing that is that app developers can have their app request for permissions very much in the same way as third party Google apps or Google Drive apps are requesting the authorization to access one's Google account. Doing so, the user never needs to input his master password / key in the (somewhat untrusted) third party app: all she needs to do is tell the app what is her Steem account, then go to Steemit.com, authenticate with her master key, and approve the app's request. That way there is no way for any third party apps to hijack accounts. So long as users are careful about what specific authorization they give to the app, in the very worst case the app may post / vote on their behalf (and get spotted very quick) or steal some liquid Steem / SBD but most of the funds in the form of vests would be safe and can be easily protected by terminating the app's access / removing its keys.