[Interest] QML and sensitive data

Alexander Ivash elderorb at gmail.com
Wed Sep 4 23:46:09 CEST 2019

Is there any mechanism for cleanup sensitive data like passwords etc
from QML? This issue is that gc() doesn't seem to even nullify memory
(at least in release on Windows) so all the sensitive information
stays in memory.

What I tried so far is to pass js-created string to C++ into cleanup
function, which would take const QString&, then get access to
constData() (to ensure no detach) and fill the internal buffer with
random data, but got 'access violation' on accessing the first QChar.
Interestingly the same approach works just fine with C++-created
QString-s. Does it mean QML memory manager somehow protects memory?
Quick search for VirtualProtect resulted nothing... Or it is because
of multi-threaded nature of QML (render thread, event thread etc. ) ?
But just to clarify, I've been trying to do cleanup for local
variable, so it was definitely not being rendered at that moment...

I can't override new/delete for QString or globally (which is bad idea
anyway) as it will require custom Qt build and moreover, without deep
knowledge in how does QML memory management work it might lead

Next thing which comes to mind is hooking some Qt internals, but....
It just feels wrong and will require a lot of efforts to implement on
all the platforms (and on some of them might not be even possible
without root access)

So.. I would appreciate a lot any ideas, even craziest ones. Also is
there any actual technical notes on QML memory management?

More information about the Interest mailing list