As an Android developer, the real hole here is being able to read the encryption key. Jelly Bean 4.3 adds the potential for "secure key storage" which only works if the user is not smart or persistent enough to break the obfuscation through using the application itself with a debugger and a rooted phone. There is no fully safe method to store keys on a device if the attacker can gain access to the same device.
Depends on the definition of "fully safe", or maybe "device". Extracting keychain secrets from a iOS device requires brute-forcing the lock screen password.
Bruteforcing the 4-pin digit is easy "math-wise", but complicated in practice because you can't really access the data on the flash (not even dumping it, as it's fully encrypted with a hardware key), and the device will not pair to a new PC/Mac without first unlocking; so you would also need physical access to a paired PC/Mac.
For the newest devices, fingerprints can't really be bruteforced (not because of complexity, but the because the hardware locks down burning its secret after a few attempts) and Apple advises using a complex password as a fallback for the fingerprint; basically the password is the real secret for encryption, while the fingerprint hw just holds a temporary unlock secret which selfdestroys if bruteforced; this is why the user is always required to enter the password after a reboot.
Of course you might still have a 0-day root exploit to use if you're NSA (or somebody with $300K to invest), and that's where I concede the "not fully safe".
