Add optional two-factor authentication to the Android app via NFC -- to log in, the user must tap a particular NFC tag as well as entering their password. Data from the NFC tag is incorporated into the PBKDF. This prevents brute force password cracking if the Android device is captured but the NFC tag is not.
NFC tags may be readable at long distances, so this won't prevent password cracking by an attacker who can read the NFC tag in advance.
This is weaker than 2FA protocols based on public keys, such as U2F, but those require a trusted server that can deny access to the account if the signature doesn't match.