How do mobile apps maintain such long sessions while still being considered secure?
There are two specific security measures that help protect against the session-hijacking-and-place-fraud-order attacks that you are worried about:
- The authentication tokens can be tied to the device, because the mobile app has easy access regarding the (mobile) account and device-specific ID (UDID) the auth token can be easily revoked if it is used for the wrong device, or in the wrong context. That isn't technically a foolproof restriction because the actual service is happening over HTTP calls (which can be "spoofed" by a malicious user), but this means that actually taking advantage of a stolen auth token will require things like: the auth token, the device UDID (and potentially more identifying information), and detailed knowledge of the API calls used by amazon to place orders. The risk is definitely low.
- The other protection is that amazon doesn't just let you change addresses. Even if someone gained access to your account they can't just place an order to themselves. A general security measure amazon has had in place for a long time is that if an order is sent to a new address you must re-enter any stored credit card numbers. This makes it impossible to send yourself stuff if you gain access to someone else's account. You could get around this, of course, if you also had access to their credit card information, but as we all know, at that point in time the malicious user wouldn't bother using your account to place the fraudulent order.
So in short, the actual risk to amazon for doing this is very low, and the potential lost revenue due to making people log back in is (I'm sure) much higher, which is why they let long lasting sessions persist on their servers.
It's worth pointing out that there is more at stake here than simply fraudulent orders. This one is worth a read:
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
Security is not a binary proposition; that is, things are not "secure" or "insecure", but fall somewhere on a security spectrum.
Thus, someone at Amazon has determined that keeping mobile sessions alive for several months, and not requiring a reprompt for checkout, is secure enough. From their perspective, this probably is a balance between the (very real monetary) cost of forcing users to re-auth and the (very real monetary) cost of users' stolen phones placing fraudulent orders. I suspect they also have additional fraud detection in place that will flag suspicious orders, reducing the cost of a stolen Amazon-authorized phone.
I'm not very familiar with the specifics of PCI-DSS, but I don't think it has any provisions that would apply in this situation.