Glad it helped mate.
If someone knows your PIN/password to the phone app then they could transfer the bitcoin to their address and your bitcoin are gone. So yes, there are risks with using a phone*. Some folks use a separate phone to their main one that doesn't leave the house.
*which perplexes me as to log on to a web page takes a password and (usually) 2 factor authorisation using the phone, but using the phone app on its own is just a short PIN.
When you hold bitcoin they only exist on the blockchain, which is just a publicly shared ledger of which addresses hold bitcoins. Every transaction between addresses goes onto the blockchain, so at any time if you know the address you can see how many bitcoin it holds by searching on what are known as block explorer sites. Think of an address as a Swiss bank account - you have an account number and a password and whoever has both has full access to that account to do with it what they will. Just knowing your address won't allow anyone to access your bitcoin (just like knowing someone's account number won't allow you to access their account), but if you have the password too (called the private key) to an address then it will.
As has been mentioned upthread, with some wallet apps there is a PIN or password for it for daily use when logging on, but in addition to that there is a master password expressed as a series of 12 words that could be used to recover the wallet (via that app or others) should you lose the PIN/password to the app. You NEVER want to share this with anyone, and some folks go to extremes to preserve it, such as having it engraved onto a sheet of metal that is then held in a safe place**.
A wallet can and almost always does hold bitcoin using multiple addresses (that's due to how transactions on the blockchain work), so this main password/PIN/master password is in effect rounding up all the passwords (known as private keys) for each address within your wallet. Knowing the PIN or main password would only be good if someone also had access to the wallet app. Knowing the master password though would allow them total access to your wallet from within an app they control.
I know, it's confusing, but the addresses bit you can come back to. The important thing is - just like leaving your money in the bank versus cash under the mattress, or gold in a bank vault versus in your own private vault at home - if some other authority holds your account (like the bank does your money), then your money could get lost or stolen by error, hacking, theft etc etc. If you hold your bitcoin (well, the private keys to the addresses) in a private wallet on your PC (or on a hardware wallet, which is just like a USB stick that you only connect to your computer and the internet when you want to move coins to or from it) then someone has to get access to that to control it, just like they have to get into your house and go under the mattress to get your cash.
tl:dr
Take sovereignty of your cryptocurrency and protect it well. Very well.
** now if you were an unscrupulous engraver