But these apps shouldn't be running/accessing those devices when your phone is locked. If the apps can manage to get around that permissioning issue then they can control a lot of things directly, most likely, and don't need your PIN for much.
To bypass the iPhone 5S fingerprint scan requires both access to the physical phone, and a high quality fingerprint. And getting the latter as a very high DPI scan is no mean feat. And then you need a latex printer with the same 500+ DPI resolution to compromise the device.
Security researchers have yet to comment on if the iPhone 5S can be remotely compromised to expose the fingerprint data.
A pin, using the described method, can be captured by just about any app on Android with enough permissions to activate the camera. And I've seen quite a few applications that ask for far more authority than they need. All the application needs to do is run a service in the background and observe the motion of the phone.
So, the next step is to use the camera and microphone on your phone to detect the PIN on the phone that somebody standing next to you uses. With a directional microphone, a good video camera and some smart gonio to reconstruct eye position relative to the screen it should be possible to detect the PIN even if the screen isn't visible in the shot.