On 9/5/19 5:00 AM, Alexander Ivash wrote:
Thank you for fast response, but my question is purely about QML. On
C++ side I have a lot of ways for nullifying / erasing sensitive
information*after*  it is not needed (let say after particular QML
screen gets' closed). But on QML / JS side I have no any control at
all. Would be great if one of QML guys could step in and comment too.

The correct solution is to never use QML for anything. It's a needless burden on the processor _and_ it's insecure. Who wouldn't want to write everything with that???

Thiago tried to point you in the correct direction, but I think you missed it. All data must be owned by C++. Never use Q_PROPERTY() so you can control the lifespan and communications.

I'm guessing you prompt for a username &/or password and have one control enter the entire thing. Upon success you navigate to a new dialog/screen/whatever and the insecure luggage is left laying around.

You can "solve" this problem architecturally by not doing that.

Cheap hack #1: assign both fields new values once validated, say "*****" and force screen update before navigating away.

A much better solution would be to have your own entry control which sends each character back to C++ and displays first a string with that character, then after 1-3 seconds changes all visible characters to a * so the string in QML never contains the complete username or password. Perform all validation logic within C++ and have C++ own the data. Let QML be no more than a screen surface.

The best solution would be to use Widgets.

--
Roland Hughes, President
Logikal Solutions
(630)-205-1593  (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com

_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest

Reply via email to