Auto-Lock & Secure Memory
When the wallet wipes itself, and what "wipe" actually means.
Timing
| App lifecycle state | Behavior |
|---|---|
| inactive / paused / hidden | Starts a 60-second timer |
| resumed (before timeout) | Cancels the pending timer — no auto re-unlock |
| detached (process terminating) | Wipes immediately and synchronously — no timer at all |
Returning to the foreground within 60 seconds cancels the pending wipe, but never re-unlocks automatically — you always have to re-tap the card and re-enter the PIN, no matter how briefly the app was backgrounded.
Important
On process termination there is no timer, because a terminating process may not survive long
enough for an asynchronous callback to ever fire. The wipe on detached happens
immediately, synchronously, before anything else.
What "wipe" means
Every secret buffer — the Argon2 salt intermediate, the KDF entropy output, the BIP39 seed, and each chain's raw private key — is explicitly zeroed in memory. Nothing generated by the derivation pipeline is ever written to disk at any point, so there's nothing on disk to clean up in the first place.
Honest disclosure
One residual exposure is disclosed rather than hidden: the BIP39 mnemonic word list is held internally by the derivation library as a plain string list, which can't be force-zeroed the way byte buffers can. This is a known, minimized window — not a claim of perfect memory hygiene.
The lock animation is cosmetic
The dissolve visual you see when the app locks (700ms) is pure UX pacing. The real key wipe has already completed synchronously before that animation ever starts playing — the animation is never a gate on the actual security operation.