[Interest] QML and sensitive data
Jason H
jhihn at gmx.com
Thu Sep 5 15:30:53 CEST 2019
> Is there any mechanism for cleanup sensitive data like passwords etc
> from QML? This issue is that gc() doesn't seem to even nullify memory
> (at least in release on Windows) so all the sensitive information
> stays in memory.
My recommendation would be to use a library that has proper storage and management of such things. I have used the Crypto++ library ( https://www.cryptopp.com/ ) with Qt/QML. Its not a magic bullet and proper cryptography is hard. However, I think you can keep the string in C++ land, and encrypted. How? You have to not store the password ever. Assuming I understand your situation, if it were me reting to protect a password field, I would have something that looks and behaved like a InputText (or whatever) that sends the characters to the C++ side, so that the sensitive data never exists in QML, subject to gc(). Of course keylogging would be able to recover the password, but there is no single QML string that is "SuperSecretIn-MemoryPassword1234!@#$".
So:
1. Break it into non-contiguous parts
2. Do all crypto in C++
3. Have the UI mimic familiar paradigms but don't actually use them
More information about the Interest
mailing list