Originally Posted by ascii
I thought the keychain was an encrypted file, so not sure how they're doing this.
Think about this:
When your mail app checks for mail, does it always ask for your mail password?
When you re-visit a site you logged into yesterday (via http security) does it ask for your password?
No, it doesn't. Therefore, the key to decrypt the keychain must be stored on the device somewhere. The thief then jailbreaks your phone, and reads the key, and then decrypts your keychain.
On a desktop, it's usually tied to your login. There's no login on a phone so it must use a password it already knows.
This is a classic tradeoff between security and convenience. Users don't want to have to type in their password all the time, and they want their mail to check automatically, so the system has to know the password. If it asked the user every time, they'd get annoyed and switch to a different phone.