[Interest] QML and sensitive data
Alexander Ivash
elderorb at gmail.com
Thu Sep 5 17:25:43 CEST 2019
Thanks Jason, making custom component which would be able to present
data from password chunks stored in different locations sounds like a
bit less painful than other options. I'll keep it in mind.
чт, 5 сент. 2019 г. в 16:30, Jason H <jhihn at gmx.com>:
>
> > Is there any mechanism for cleanup sensitive data like passwords etc
> > from QML? This issue is that gc() doesn't seem to even nullify memory
> > (at least in release on Windows) so all the sensitive information
> > stays in memory.
>
>
> My recommendation would be to use a library that has proper storage and management of such things. I have used the Crypto++ library ( https://www.cryptopp.com/ ) with Qt/QML. Its not a magic bullet and proper cryptography is hard. However, I think you can keep the string in C++ land, and encrypted. How? You have to not store the password ever. Assuming I understand your situation, if it were me reting to protect a password field, I would have something that looks and behaved like a InputText (or whatever) that sends the characters to the C++ side, so that the sensitive data never exists in QML, subject to gc(). Of course keylogging would be able to recover the password, but there is no single QML string that is "SuperSecretIn-MemoryPassword1234!@#$".
>
> So:
> 1. Break it into non-contiguous parts
> 2. Do all crypto in C++
> 3. Have the UI mimic familiar paradigms but don't actually use them
>
>
>
>
>
>
>
More information about the Interest
mailing list