[Interest] QML and sensitive data
Alexander Ivash
elderorb at gmail.com
Thu Sep 5 17:16:57 CEST 2019
Thank guys for all the advices. Unfortunately switching to widgets is
not possible at the moment (is it even supported still for android?)
although making custom QQuickItem could be an option. But I still
don't see how will it resolve the issue with JS-managed strings.
Unless of course your suggestion is really about injecting my custom
QQuickItem into scene graph purely from C++ side, without
instantiating it from QML. But as I understand in this case I also
have to implement all the event-handling & focus support from scratch.
Does it really looks like better approach than hooking JS memory
manager?
As for the passing js string to C++ - based on this video
(https://www.youtube.com/watch?v=77LH_I_Vx5E) about memory management
in QML/JS, for sure JS string is not QString, but I thought QString
will be using the same string data, and that's exactly what I was
trying to override.
чт, 5 сент. 2019 г. в 16:34, Jérôme Godbout <godboutj at amotus.ca>:
>
> Maybe stating the obvious, but just in case, is you system can support any oauth2 authentication instead or ssh key? that would avoid the whole password in the first place. Maybe it doesn't meet your need at all, just making sure it was not overlook. Login/password are bad in an application in the first place. But some application still need those. Ignore if not applicable to you.
>
> -----Original Message-----
> From: Interest <interest-bounces at qt-project.org> On Behalf Of Jason H
> Sent: September 5, 2019 9:31 AM
> To: Alexander Ivash <elderorb at gmail.com>
> Cc: interestqt-project.org <interest at qt-project.org>
> Subject: Re: [Interest] QML and sensitive data
>
> > Is there any mechanism for cleanup sensitive data like passwords etc
> > from QML? This issue is that gc() doesn't seem to even nullify memory
> > (at least in release on Windows) so all the sensitive information
> > stays in memory.
>
>
> My recommendation would be to use a library that has proper storage and management of such things. I have used the Crypto++ library ( https://www.cryptopp.com/ ) with Qt/QML. Its not a magic bullet and proper cryptography is hard. However, I think you can keep the string in C++ land, and encrypted. How? You have to not store the password ever. Assuming I understand your situation, if it were me reting to protect a password field, I would have something that looks and behaved like a InputText (or whatever) that sends the characters to the C++ side, so that the sensitive data never exists in QML, subject to gc(). Of course keylogging would be able to recover the password, but there is no single QML string that is "SuperSecretIn-MemoryPassword1234!@#$".
>
> So:
> 1. Break it into non-contiguous parts
> 2. Do all crypto in C++
> 3. Have the UI mimic familiar paradigms but don't actually use them
>
>
>
>
>
>
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
More information about the Interest
mailing list