After extensive googling I haven't managed to find an answer to this question1, which is surprising, since `security through obscurity' isn't really security at all...
Is there a reliable source of an answer to this question (such as a certification application for iOS, source code, or similar)?
1The only mention I could find was that it might use 3DES.
According to this official Apple document :
The encryption is AES 128 in GCM (Galois/Counter Mode);
"Security through obscurity" means relying on obscurity to achieve security. It does not mean you are insecure just because you do not advertise your security mechanisms to the world.
Apple presumably wants the freedom to change the implementation of the keychain, so its encryption is not part of its specification because it does not need to be.
That said, I seriously doubt Apple uses 3DES, because they actually know what they are doing. I would give 10-to-1 odds they use AES.
An authoritative answer can probably only come from Apple or from someone who has disassembled their code.
According to the keychain documentation Keychain services and other Mac OS X security APIs are built on the open source Common Data Security Architecture (CDSA) and its programming interface, Common Security Services Manager (CSSM).
More information on that here
The discussion thread here quotes from official apple documentation (currently defunkt) stating;
All the password data in the keychain
is protected using the Triple Digital
Encryption Standard (3DES).
I'll see if I can turn up anything more current / definitive.
UPDATE:
OK there is a copy of an official OSX document here that does confirm the 3DES, however I agree that the implementation is likely to be subject to change.
Whether this also applies to iOS would also require verification, however given the harmonisation of iOS and Lion, I suspect it is more likely than not.
Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient.On A9 or later A-series processors, the flash storage subsystem is on an isolated bus that is only granted access to memory containing user data via the DMA crypto engine.