On OS X Chrome pulls the passwords out of the keychain and then makes them completely accessibly in plaintext through the settings/passwords page. I have no idea why it does this.
Keychain is accessible through standard system API calls.
Apple does not require any sort of approval or valid developer certificate to use the Keychain. Any app that attempts to access the Keychain will trigger a system-level notification to the user informing them of what the app wants to access, and allowing the user to "Allow", "Deny" or "Always Allow" the request.
