Firstly, using MD5 for hashear passwords is a bad idea. You should decide whether or not it is important to do this hash, and if the answer is "yes," do it appropriately (ie using a proper hash algorithm for that purpose, which employs a salt and a working factor).
In general, the password hash is based on the following scenario: "I have a database, serving an application that can be accessed over the internet; if someone obtains a copy of this database - via SQL Injection, or through a backup found in the trash, or whatever - I do not want that person to immediately see what the user's passwords are, and so log in as if they were ".
According to the above description, ask yourself:
-
Is my application remotely accessible?
If the answer is no , there is little point in having the passwords - save them in plain text. For those who have physical possession of the device does not need the password to access - and even modify - your SQLite database.
-
Is there a scenario in which unauthorized people can get a read (and read-only) copy of my database?
I have difficulty imagining such a scenario. Maybe you loaned your phone to someone who was malicious, and that person found a vulnerability in your app and used it to get a copy of the bank? Without the first item of "remote access" this scenario seems a bit exaggerated ... See if you can think of any other.
If such a scenario exists, then the ideal is to have a proper hash, in the correct way (see question linked at the beginning of this answer). In this case, you should not give the user the option to recover his password, but rather to reset it.
Password hash is not a panacea: it serves very specific purposes - 1) Protect the password itself (ie your system has already been hacked, it already was!) But you do not want the attacker take advantage of this to invade other systems in which the user reused the password); 2) Prevent a read vulnerability from escalating to a full write / access vulnerability.
If this answer did not resolve your inquiries, please provide a more detailed description of your threat model - describe what this password is, what it protects and how important it is that it protects, and what the consequences of it being "leaked"; cite the scenarios in which you expect that a hashed password would be better than a simply stored password, or other possibilities of misuse of your application that come to mind. Etc.
P.S. One last point, about "recover password / access by e-mail": on your mobile phone can you access your e-mail? No password required? Because the person who is in possession of it and is "barred" from accessing your application because of a password, can not simply ask to reset the password by email and then read on the device itself the response of that email ?