The device needs to know the password so short of asking the user for a keychain-like password which is used to derive the decryption key, it's not going to be possible to store the password for a remote service (which it needs) on the device in a secure manner.

Having said that, there are a couple of simple things applications should consider doing when storing the passwords, and xoring the text with the MAC address + some application-specific number is simple enough to stop casual sniffing; even if it's not any more secure in any real way.

Cheers,

Andrew