Hi! I'm actually the developer of 2STP. I can help shed a little light on how two-step authentication works.
When you enable two-step authentication, you usually get a QR code to scan. That QR code contains a "shared secret key," along with some other information like the name of the website and a display name. It's called a "shared" secret key because it's known to both you and the website you're logging into.
Using that secret key, the current time, and some math, you can generate a two-step authentication code. The math and current time are publicly known, but because only you and the website know the shared secret, the two-step codes are secure and can't be guessed.
However, the process becomes less secure if the shared secret key is made available to anyone else besides you and the original website.
That's part of the reason I made 2STP. Google Authenticator, as you've noticed, lacks several convenient iOS-specific features. Authy is better, but because Authy uses an online account system, it's very easy to unintentionally hand them a copy of your shared secrets, which is less secure. I personally also don't like how the codes aren't all displayed on one screen.
2STP never connects to the internet without your permission. All data is encrypted and securely stored in the iOS Keychain, and is never shared with anyone without your direct permission. In fact, the only time it connects to the internet or shares account data is when you use the Import/Export Account feature, and even then it's technically not the app that connects to the internet, but iOS itself.
You'll have to take my word for it, since there's no easy way to verify it first-hand—but if it makes you feel better, know that there's no way I could afford the infrastructure needed to collect all these secret keys, which are useless without the corresponding username and password in any case.
Anyway, thanks for considering my app! I wrote it mainly for my own use, but I'm glad it's helpful to others as well.
(As a side note, I am almost 100% certain that the App Review process does not check for malicious code in this way. Since Apple only receives a binary, it would be prohibitively difficult and expensive to analyze the code in any meaningful way. App Review mainly just checks that the app appears to perform as advertised, doesn't have any really obvious bugs, and doesn't use private APIs.)