The point of `pass` is to offload the security aspect to gpg, so unless something goes wrong with that, I don't believe continued use, even if unmaintained, is very insecure.
The Android app will by necessity receive the decrypted passwords from GPG to display and copy them to the clipboard. It could do whatever else it wants with them.