Oh, you lock the phone with a password? Well, that should help, but it is no guarantee. The iPhone has just been hacked. A new device running iOS 4.2 can be unlocked in 6 minutes. Now all of those plain-text passwords being stored on the phone are a bit more worrisome.
Forget about the phone being locked though. If someone grabs a screen shot of your Starbucks iPhone app that is showing the barcode, they can use your card anytime they want, or at least until you figure it out and call Starbucks. As usual, they "take security seriously" and offer balance protection. They will immediately freeze your account when you call. You are on the hook for everything that happened before then though. Seems the balance they are protecting is theirs, not yours. This type of information makes me rethink the wisdom of having my card auto load when it gets down to a certain level.
It is clear that passwords alone don't cut it. Even if you have a strong password, something over ten to twelve characters with upper and lower case letters, numbers and symbols, it doesn't matter if the rest of the app or device is insecure. It is like putting a steel door with an expensive lock on a rotting barn. You may not get through the door, but you won't have to expend too much effort to get in the barn.
I recommend you lock your phone though. Regardless of the device's security, a password keeps an honest person honest and could very well keep someone not skilled at working with technology out. That doesn't give me great comfort though. Device makers and ecommerce app developers need to take security seriously, and I don't mean by saying "we take security seriously" when a consumer blog calls them on the carpet. I mean seriously like they really care about your data.