SegmentPool - sensitive data in memory

[dounaka]

Hi,
I am working on an API call to register an user with Retrofit2. The request body contains sensitive information which should not stay long in memory.
After making the API call with retrofit and analyzing the memory dump, the json (request body) is still in memory, hold by okio.Segment (data attribute) - the instance is not removed by the GC.

Is there a way to clear the SegmentPool ?
Or a different way to make an API call with OkHttp client so the data will not remain in memory ?

Thank you

[swankjesse]

If we were gonna do this I think we'd mark a BufferedSink as sensitive, then track writes to it as needing zeroing before they're freed.

I think it's an interesting idea but also a nontrivial bump in complexity and possibly runtime performance, even for people not using this feature.

The other question is whether we can implement this reliably enough. If we offer this feature we should do it right! Can we? It would impact a lot of code. For example, sensitivity information should travel through pipes.

[dounaka]

Thank you for the quick response. I understand what you are suggesting and the difficulties to implement it.
I was thinking of having a function that sanitize all the segments that exist in the SegmentPool.
The application will be responsible to call the function after an API call (register user or login).
Can it be a solution ?

Thank you.

[swankjesse]

That won't work reliably enough due to races. If you need a quick hack to prevent a Buffer from being pooled, call clone() on it when it has sensitive data in it. That won't get zeroed but the memory will also not be pooled. (This trick should work for all current Okio releases but it isn't a documented feature and could break in a future release.)

[dounaka]

Perfect, thank you.