I've heard that some pretty evil things happen if you buy anything iphone. Personally I wouldn't chance it.
Because I'm in the e-commerce business, you're hitting me in the wallet.
If you are willing to shop online at any computer, you should have no concerns about shopping online with a Droid. SSL/TLS is not something you can sorta partially do right.
There are two main things to think about when you consider the safety of shopping online: can someone who should not be able to read my personal information (such as credit card details) read it (1) while it is in transit to the merchant site or (2) while it is at rest at either the merchant's servers or on your device. Fortunately, for the merchant side, the payment card industry have come up with sound, audited data security standards. The crypto behind e-commerce works or doesn't work. If an Android device could not form a trusted connection, then merchant sites would refuse your transactions. Of course, since the market uses Google Checkout, it's fairly clear that Droids had to use the same security as PCs.
True though to be concerned about the device. Concerned only, though.
Worry about anything that might use a keystroke logger. Heck, if you surf enough porn, serial/crack, or torrent sites with sucky malware protection, your PC would have a keystroke logger installed. If you're generally untrusting, I wouldn't install an alternate keyboard app on your Droid until you see that a developer has a few thousand users. I happen to use a keyboard I installed from the Market. That means I explicitly trust the developer.
You should also take the same care in evaluating browser alternatives. No matter what protection exists over the air and wires, you can't assume that, for example, Dolphin was properly designed to not cache encrypted pages and knows to delete expired symmetric session keys. No offense meant to Dolphin's devs, I rely on their browser as my main one. Android may take some of the decisions on data protection out of the hands of the developer, but I don't know the OS well enough to discuss that. You can base your trust in Dolphin on its popularity and what the dev has at risk if they e-bomb the entire Android community.
But again, the same is true with any PC. Look at how many security updates come out for IE and Firefox. If you shop online with a PC and you make good software choices there, then just carry what you know over to your Droid and you won't have a breach of your credit card and identity privacy.
