One defends against the Evil Maid with physical security techniques. And by doing your own cleaning :).

The app is not asking for authentication, it's asking for encryption. Else an attacker could bypass the app's logic and read its data directly.