My bank considers transactions done using login credentials to be final. There is no recourse if someone steals your money.
Last year an iOS mail application called "Spark" (otherwise a great app) decided to quietly upload my login and password to their cloud servers so that their servers can access my mail for me. I dropped the app immediately (https://jan.rychter.com/enblog/spark-email-app-why-i-dont-us...).
This should not be considered acceptable. If you want to let users authorize external access to account data, use Oauth2.
Sandboxes are already available under reasonable terms for many banks in for example Ireland.
*edit, first word
(disclaimer: I work here)
An my accounts do that by default (France), except for pre-approved recipients.
I found this unacceptable, so I can't use Spark, which I regret. I also lost trust for Readdle, so now, even though they make great apps, I am extra careful with handing them any sensitive information.
AFAIK Spark’s push notification service relies on checking for mail server-side (so that they don’t drain your battery with constant background refreshes, I suppose?), so I wouldn’t consider it sneaky.