That, and I don't trust "an app." The whole reason I want a second factor is to get away from computers as primary authentication mediums, and a smart phone is a computer.
I don't think anyone realizes how much malware is in the Android marketplace. And that's beside the malware that vendors and carriers install on there by default. Do not trust your phone.
The Authenticator app is open-source [1] and extremely minimal. It doesn't run with permissions to access any data on the phone, or even communicate over the network; all it does is read the system clock every 30 seconds and compute an HMAC.
The app isn't what worries me, it's what else is running on the phone. Android malware comes in the form of a rootkit, usually, which means it has total control over your device.
Not scared? How about this article[1] from over a year ago, which details over 50 apps in the Marketplace using a rootkit which not only controls anything you do, but can download new code to keep changing at a whim?
I don't think anyone realizes how much malware is in the Android marketplace. And that's beside the malware that vendors and carriers install on there by default. Do not trust your phone.