I need to store the user's password in my iphone app.
When posting an app to the app store, I have to tell Apple if there's encryption in the app for export purposes.
I don't want my app to be restricted to US only, but I also don't want to store or send passwords over the net in clear text.
So basically the question is, can I encrypt passwords in a way that will not get my app restricted?
First, if the user name and password are encrypted and decrypted on the phone, then the decryption key is obviously also on the phone and pretty much worthless. I wouldn't worry about storing user names and passwords encrypted on the phone.
For secure communication, you should use SSL which is probably in a library that is already on the phone. If you use a library that is part of the phone OS, I don't think that means your app "contains encryption".
Of course, I am not a lawyer. Who knows - the law might consider "pig latin" a valid encryption technology.
Looks like the supplied crypt() function can be used for passwords:
This library (FreeSec 1.0) was developed outside the United States of America as an unencumbered replacement for the U.S.only libcrypt encryption library. Programs linked against the crypt() interface may be exported from the U.S.A. only if they use crypt() solely for authentica-tion authentication purposes and avoid use of the other programmer interfaces listed above. Special care has been taken in the library so that programs which only use the crypt() interface do not pull in the other components.
(from the iphone documentation for crypt(3))
Just store the password in the keychain. It is a system API apple provides, and you don't have to know anything about the encryption. Apple ships it, is their responsibility to ensure export compliance of the system frameworks. Presumably they use weaker (or no) encryption if they sell the device anywhere that it is prohibited, but if you use the available APIs you will not be shipping any export restricted cryptographic code in your binary, and the only way that you could be interpreted as doing so would mean that Apple is shipping it with every iPhone.
Having said that, I am not a lawyer, I recommend consulting one if you are worried about it. No amount of other programmers advice is particularly relevant on what is fundamentally a legal matter.