Sorry for the delay Macho Man ***** Savage. So what is your solution?
Rejecting the app will only prevent more users from hitting you, but what are you gonna do regarding the remaining ones?
I had to downgrade my security a little bit and I store my credentials in a plist file where all values are AES-128 encrypred, keys are obfuscated and the encryption key is built in runtime dynamically using obfuscation, keys appending, class names taken on runtime etc.
Not as safe as the keychain but I can't afford loosing more clients as this issue is VERY big and is not gonna be solved in the near future from where I can see it.