Removing sensitive data from ram

I have a requirement that sensitive data isn’t left in ram. Is there any way to achieve this with ionic?

I have seen suggestions that using typed arrays will allow us to zero the memory after use, but the html password input still leaves references in ram indefinitely, is there any way to avoid that?

Please elaborate on what you mean by “sensitive data”, specifically addressing:

  • what it represents in business logic terms, such as “an encryption key”, “a password”, or “a sales report downloaded from the internet”.
  • how it gets into the application, such as “user types in”, “comes over network”, or “automatically generated by the app”

…and how the sensitive data needs to be used, like:

  • what business-layer features need it, such as “uploading stuff”, “storing stuff on device”, or “displaying something to the user”
  • any limitations you can put on timing for the above, such as “only need it once at startup”, “only need when authenticating a user”
  • similarly, any directives on when exactly the sensitive data must be evicted, like “when the app exits”, “when the app goes into the background”, or “when the user explicitly pushes a button”

…and, finally, more details on exactly what threat is being addressed:

  • who is the blackhat? do they have physical access to the device the app is running on?
  • what are we worried that they can do with the sensitive data?

My personal suspicion is that there are going to be more productive ways to spend developer effort on security in general than this specific concern, and maybe the end result of this discussion can be empowering you to move the conversation with whomever is imposing this “don’t leave things in RAM” requirement in that more productive direction.

Sensitive data: authentication tokens and username/password
username/password are input in form by the user
username/password are then sent to a server which returns an authentication token
authentication token is saved via nativestorage plugin
authentication token needs to be reloaded from nativestorage and sent with every network request that goes to server again

username/password must only exist in ram until the request for an authentication token is sent
authentication token must only exist in ram until the desired message is sent
authentication token needs to be stored securely on the device (so it can’t be accessed by other apps/users/etc, preferably also not accessible to root).

sensitive data must be evicted as soon as network request is sent

We don’t have an actual use case, this is required by a third party who is certifying our app.

In that case, I’ll back up and try to answer your specific question about Ionic.

Ionic isn’t going to make this any harder than it would be with any other technology that bundles web applications into mobile apps, and it might make aspects of it a bit easier. I would recommend looking at https://github.com/mibrito707/cordova-plugin-secure-storage-echo, because it is what lies underneath ionic-native secure storage. The data at rest encryption is at the mercy of the runtime environment. That plugin leverages the Keychain (iOS) and KeyStore (Android) features to handle:

Because of the way the cordova bridge works, those values are going to come across as strings, so I think you’re at the mercy of the v8 garbage collector and/or the OS virtual memory system as far as trying to guarantee:

As for this bit, which you referenced in OP:

I think it would be feasible (although a bit tedious) to write a replacement for an ordinary <input> control that writes a password to a typed array character by character. Anything using Cordova or Capacitor is going to be limited again by the www/native bridge passing only strings.

Hopefully that is of some use.