The same presenter (I believe it was Rocky, but this was seven years ago, and I can't find a video still online to double check) shouted back over the laughter, "Yes! I use telnet, tunnelled over SSL". People started talking about it, and the conversation turned to the fact that "secure" in "secure-shell" referred to the transport mechanism, and not the clients and servers themselves.
I had forgotten about that conversation until this past September, when I was giving my OS X reversing presentation at SecTor. While I was explaining the roles of certain files in the iPhone application bundle structure I opened up the binary plist file, translated it to it's XML form, opened it up and closed it as quickly as possible. The reason I closed it was because my password for that application was sitting plain text in the XML. A quick change to the file off the main screen and it was back up. And I could explain to the audience where the password was sitting.
If you want to check this for yourself, you can SSH into your iPhone if it's already jailbroken and look at the plist files in your application directory and convert from binary to xml with plutil. If you want to work from your desktop, Mac OS X desktop that is, you can pull the data from the backups iTunes makes. To do this, you will want to use Erica Sadun's mdhelper. This will extract all of your archived iPhone apps, including backup data.
Once you recover the files, look for the plist file that has the company name / url. This is referred to as the Bundle Identifier. This is also where settings saved via the NSUserDefaults are saved. Regardless of how these entries are marked in the user interface or settings bundle they are stored in plain text. In Interface Builder, the Objective-C UI layout software, the UITextView control used for text input on the iPhone has a "secure" property. This is the same for text input elements in the settings menus. This brings up the characters that are quickly replaced with black circles.
Once the program reads the value from the control, there isn't a facility to store it on the disk in a suitably secure manner. If there is, it is not well documented so it can easily be assumed most developers are not using it. In this manner, people assume the data on the phone is secure but without an extra measure to protect it, it is all copied right over to iTunes directories every time you back up.
So when the word secure is used in the context of an iPhone control, it might not be the best term, because to different people it has different meanings.
On a side note, all your SMS messages are also archived in a SQLite database. Keep that in mind before you sync on your girlfriend's computer.
