ROBIN VAULT

Auto-Lock & Secure Memory

When the wallet wipes itself, and what "wipe" actually means.

Timing

App lifecycle stateBehavior
inactive / paused / hiddenStarts a 60-second timer
resumed (before timeout)Cancels the pending timer — no auto re-unlock
detached (process terminating)Wipes immediately and synchronously — no timer at all

Returning to the foreground within 60 seconds cancels the pending wipe, but never re-unlocks automatically — you always have to re-tap the card and re-enter the PIN, no matter how briefly the app was backgrounded.

Important

On process termination there is no timer, because a terminating process may not survive long enough for an asynchronous callback to ever fire. The wipe on detached happens immediately, synchronously, before anything else.

What "wipe" means

Every secret buffer — the Argon2 salt intermediate, the KDF entropy output, the BIP39 seed, and each chain's raw private key — is explicitly zeroed in memory. Nothing generated by the derivation pipeline is ever written to disk at any point, so there's nothing on disk to clean up in the first place.

Honest disclosure

One residual exposure is disclosed rather than hidden: the BIP39 mnemonic word list is held internally by the derivation library as a plain string list, which can't be force-zeroed the way byte buffers can. This is a known, minimized window — not a claim of perfect memory hygiene.

The lock animation is cosmetic

The dissolve visual you see when the app locks (700ms) is pure UX pacing. The real key wipe has already completed synchronously before that animation ever starts playing — the animation is never a gate on the actual security operation.