[Sec]: Zeroize the memory for each TWString

rust/coverage.stats

@@ -1 +1 @@
-92.0
+91.0

src/Keystore/StoredKey.cpp

@@ -17,6 +17,7 @@
 #include <boost/uuid/uuid_generators.hpp>
 #include <boost/uuid/uuid_io.hpp>
 #include <nlohmann/json.hpp>
+#include <TrezorCrypto/memzero.h>
 
 #include <cassert>
 #include <fstream>
@@ -32,7 +33,11 @@ StoredKey StoredKey::createWithMnemonic(const std::string& name, const Data& pas
     }
 
     Data mnemonicData = TW::Data(mnemonic.begin(), mnemonic.end());
-    return StoredKey(StoredKeyType::mnemonicPhrase, name, password, mnemonicData, encryptionLevel, encryption);
+    StoredKey key(StoredKeyType::mnemonicPhrase, name, password, mnemonicData, encryptionLevel, encryption);
+    if (!mnemonicData.empty()) {
+        memzero(mnemonicData.data(), mnemonic.size());
+    }
+    return key;
 }
 
 StoredKey StoredKey::createWithMnemonicRandom(const std::string& name, const Data& password, TWStoredKeyEncryptionLevel encryptionLevel, TWStoredKeyEncryption encryption) {

src/interface/TWString.cpp

@@ -6,7 +6,9 @@
 
 
 #include <TrustWalletCore/TWString.h>
+
 #include <string>
+#include <TrezorCrypto/memzero.h>
 
 TWString *_Nonnull TWStringCreateWithUTF8Bytes(const char *_Nonnull bytes) {
     auto* s = new std::string(bytes);
@@ -34,7 +36,13 @@ const char *_Nonnull TWStringUTF8Bytes(TWString *_Nonnull string) {
 }
 
 void TWStringDelete(TWString *_Nonnull string) {
-    auto* s = reinterpret_cast<const std::string*>(string);
+    auto *sConst = reinterpret_cast<const std::string*>(string);
+    // `const_cast` is safe here despite that the pointer to the string is const
+    // but `std::string` is not a constant value.
+    auto *s = const_cast<std::string*>(sConst);
+    if (!s->empty()) {
+        memzero(s->data(), s->size());
+    }
     delete s;
 }