I have an iOS App that may store confidential information and also uses iCloud to synchronize its Core Data between devices (the data itself is encrypted inside Core Data).
People can protect the App with a password, and can also create two secret questions to help them recover a lost password.
The password and secret questions are kept in the keychain.
Quite often I get support requests that say "Hey, I forgot my password and I also forgot the answers to my secret questions, so now I cannot access my precious data. Please help".
Some people also say that they tried to remove the App and re-install it (knowing that the data will be re-synched from iCloud), assuming that this will reset their password, which of course does not happen.
Currently there's no way for me to help these people.
Now here's the question.
On one hand, it's very easy for me to clear the password and secret questions from the keychain on first launch, so that people can create a new one if they remove and re-install the App.
However, this seems to create a security hole. An unauthorized person getting hold of the device can remove the App, re-install it, create a new password, let the App synchronize with iCloud and access the confidential data.
I believe that there are many more innocent people who forget their passwords than people trying to steal other people's data, but I still feel reluctant to go "the easy way".
What do you think?
Short answer: For the probably small number of people who are affected, here's one idea: try first backing up to iTunes, with the "encrypt local backup" unchecked (this leaves out the keychain). Then wipe and restore the device from that iTunes backup. This should put the app and its data back on the device, but sans the keychain. Note that I haven't tried it, so please test before contacting users with this solution. See: http://support.apple.com/kb/TS4108 for some relevant instructions.
Longer thoughts: I think deleting user keychain data on first-run goes against user expectations. Apple maintains the keychain after app uninstall so that users don't lose data. The security hole issue is really covered by the protections Apple provides to the user -- password lock, data wipe -- and the security features developers can implement -- keychain, file encryption -- and as such should not be a big consideration in how you deal with this.
Unfortunately, regardless of all this still leaves you stuck with current users. Apple really needs to provide device-level user accounts as on OS X so that the keychain is locked to a particular account. But back in the real world, we are still stuck with requiring the anachronistic e-mail address with user registration to provide a password reset e-mail. It sounds like your user accounts are stored locally, however.