Here is how to create a safe new nostr key pair where the nsec is not entered into the nostr client, but stays secure on an Android device, using #Amber and #Amethyst over tor.

Download Amber apk

(I use the 'free' version)

Open Amethyst

Tap add new account

Tap log in with Amber

Amber app will open

Tap adjust and set your permissions

(I reject generic draft events)

Hit save

Hit grant permissions

Amethyst will open

Tap profile in upper corner

Select use tor/orbot

You now have a nostr profile where the nsec is not entered into the app. You can switch between multiple nostr profiles set up the same way.

I advocate for nostr clients to add NIP46 for sign in.

"The goal of Amber is to have your smartphone act as a NIP-46 signing device without any need for servers or additional hardware...

In addition to native apps, Amber aims to support all current nostr web applications without requiring any extensions or web servers."