I just came across this report about the Coinomi wallet.  The private seed input box spell checks by sending the private see words in plain-text to google spell check.  It's over https at least, but at least one user has reported their coins being swept out of their wallet.  Someone with access to google's back end, or via another private API could be vacuuming up seed words.

Yikes!