How does this work with/without a secondary password? What if I first installed the Android app, and only then created a secondary password?
The second password is not contained within the pairing QR Code so you will be prompted to enter it in the iPhone app.
If you set a second password after pairing with only single password after the app syncs the wallet on startup a second password will be required from then on and the original wallet is deleted. If your phone was stolen enabling double encryption doesn't protect your wallet if it was already stored onto the device.
Are the files on my Android device / Dropbox encrypted with my first password? My second password? Both?
The wallet format is document here:https://blockchain.info/wallet/wallet-format
- For single encryption the entire JSON payload is encrypted with your first password.
- With double encryption each private key is encrypted first with the second password and then the payload is encrypted with the first password. (In the web interface click [Import / Export] then [Export Unencrypted] and from the select box choose "Leave private keys encrypted" to see the format)
The wallet is saved in exactly the same way whether stored on the server/app or dropbox.
Hope that helps.