Re: [Interest] Avoid readable QML files in application

Wed, 23 May 2018 07:04:39 -0700

Having done several HIPPA compliant QML apps, I've not had this expressed to me as a requirement.  The attack vector you're guarding against by having this requirement is dumping protected data by replacing the file with a modified version that dumps the protected data. This is actually the same as hacking the application, even at the machine/assembly level. There's not much you can do if the hacker is competent at that level. You'd have someone who is operating a dissasembler and can get at any byte in memory.
 
However, if you insist on this level of protection,yYou can build a custom process to take the QML file that is,  at a minimum, digitally signed and verify the digital signature on application start. This and variations of this idea all suffer from the same attack vector: after the check but before loading, they can be compromized. 
 
But, I think it would be cool if we could sign resources in general, so they can't be counterfiet. Qt could extract and check at the same time, and only correctly signed assets are "successfully" loaded. Of course it comes down to a JUMP_IF_EQUAL or JUMP_IF_NOT_EQUAL instruction on whatever your platform you are on. 
 
Having the files human readable is beside the point. It's all open source anyway. Sure, proper encypriton practice would have then compresses and encrypted, but you're not trying to potoect the contents of the file, you're only trying to protect the contents from modification. 
 
 
Sent: Wednesday, May 23, 2018 at 6:38 AM
From: "Van Gucht, Sam" <sam.vangu...@nobelbiocare.com>
To: "interest@qt-project.org" <interest@qt-project.org>
Subject: [Interest] Avoid readable QML files in application

Hi,

 

As a company(Medical) policy, we don't allow readable files on the user PC in order to protect patient information. This means the information our application saves and Qt specific files, such as QML files. Our custom QML files are compiled into libraries with qrc. We do the same do for the QML files from Qt (Quick.Controls, GraphicalsEffects, ...). But for certain modules this doesn't work, eg. Quick.Controls2.

 

Is anyone doing something similar? Do you have the same problems? Other solutions to make the QML files not readable?

 

Best regards,

Sam

 

__________________________________
Sam Van Gucht
Software Developer

Nobel Biocare c/o Medicim NV
Stationstraat 102, 2800 Mechelen, Belgium
nobelbiocare.com
 

 

 

E-mail: sam.vangu...@nobelbiocare.com

Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment. _______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
_______________________________________________
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Reply via email to