As soon as they have access to your phone the encryption doesn't help. At that point they can do whatever, inject the app with custom logger, run extraction when user opens the app, etc.