This is the #2 most important security flaw, according to OWASP.
As discussed here, passwords should not be stored on the phone at all. Because users re-use passwords, they are very sensitive information and handling them carelessly is a disservice to your customers.
Locally stored passwords could be stolen by malware on the phone, or by simply stealing the phone itself.
Instead, a random cookie should be stored on the phone, which is useless at any other company.
Here's the app I tested:
I created an account, and found the password stored on the phone, as shown below.
