01 May

Implementing Biometric Encryption in .NET MAUI

By Jorge Perales Diaz MAUI

πŸ” Implementing Biometric Encryption in .NET MAUI

Using the Secure Enclave to Protect Keys

Security is no longer optionalβ€”especially when your app handles sensitive data, authentication tokens, or cryptographic keys. In modern mobile environments, relying solely on passwords or basic storage mechanisms is insufficient. With .NET MAUI, you can integrate biometric authentication + hardware-backed key protection to achieve a much higher level of security. In this guide, we’ll walk through how to implement biometric encryption using the Secure Enclave (iOS) and hardware-backed keystores (Android) to protect your encryption keys. πŸ”

🧠 What Is the Secure Enclave?

The Secure Enclave is a hardware-isolated security module available on iOS devices that:

  • Stores cryptographic keys πŸ”‘
  • Performs encryption/decryption operations
  • Requires biometric authentication (Face ID / Touch ID)
  • Prevents keys from ever leaving the secure hardware πŸ‘‰ Equivalent on Android:
  • Android Keystore (hardware-backed when available)

πŸ—οΈ Architecture Overview

A clean, secure implementation should look like this:

UI (Login / Sensitive Actions)        
        ↓
IBiometricEncryptionService
        ↓
Platform Implementations (iOS Secure Enclave / Android Keystore)

🧩 Step 1: Define the Abstraction

public interface IBiometricEncryptionService
{
    Task<byte[]> EncryptAsync(byte[] data);
    Task<byte[]> DecryptAsync(byte[] encryptedData);
    Task<bool> IsBiometricAvailableAsync();
}

🧩 Step 2: Shared Partial Class

public partial class BiometricEncryptionService : IBiometricEncryptionService
{
    public partial Task<byte[]> EncryptAsync(byte[] data);
    public partial Task<byte[]> DecryptAsync(byte[] encryptedData);
    public partial Task<bool> IsBiometricAvailableAsync();
}

🍏 Step 3: iOS Implementation (Secure Enclave)

Using:

  • LocalAuthentication
  • Keychain
  • Secure Enclave-backed keys
#if IOS
using LocalAuthentication;
using Security;

public partial class BiometricEncryptionService
{
    public partial async Task<bool> IsBiometricAvailableAsync()
    {
        var context = new LAContext();
        return context.CanEvaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, out _);
    }

    public partial async Task<byte[]> EncryptAsync(byte[] data)
    {
        // Simplified: Generate or retrieve key stored in Secure Enclave
        // Perform encryption using SecKey APIs
        return data; // Replace with actual encrypted result
    }
}
#endif

πŸ€– Step 4: Android Implementation (Keystore)

#if ANDROID
using Android.Security.Keystore;

public partial class BiometricEncryptionService
{
    public partial async Task<bool> IsBiometricAvailableAsync()
    {
        var biometricManager = BiometricManager.From(Application.Context);
        return biometricManager.CanAuthenticate() == BiometricManager.BiometricSuccess;
    }

    public partial async Task<byte[]> EncryptAsync(byte[] data)
    {
        // Use KeyGenParameterSpec with setUserAuthenticationRequired(true)
        return data; // Replace with encrypted result
    }
}
#endif

πŸ” Step 5: Key Generation Strategy

iOS Secure Enclave

  • Keys are generated with:
    • kSecAttrTokenIDSecureEnclave
    • Access control requiring biometrics

Android Keystore

var spec = new KeyGenParameterSpec.Builder(
    "MyKey",
    KeyStorePurpose.Encrypt | KeyStorePurpose.Decrypt)
    .SetUserAuthenticationRequired(true)
    .Build();

βš–οΈ Secure Enclave vs Android Keystore

πŸ“Š Comparative Table

Feature iOS Secure Enclave 🍏 Android Keystore πŸ€–
Hardware Isolation ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐
Biometric Integration ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐
Key Exportability ❌ Never ⚠️ Depends
Security Level ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐

🧠 Best Practices

βœ… 1. Never Store Raw Keys

Always rely on hardware-backed storage.

βœ… 2. Require Biometric Authentication

Ensure:

  • User presence is required
  • Keys are unusable without biometrics

βœ… 3. Handle Fallbacks

Biometrics can fail:

  • Provide PIN/password fallback
  • Avoid locking users out

βœ… 4. Encrypt Sensitive Data Only

Avoid overuse:

  • Encrypt tokens, secrets, credentials
  • Don’t encrypt everything unnecessarily

βœ… 5. Combine with Secure Storage

Use:

  • Keychain (iOS)
  • EncryptedSharedPreferences (Android)

🧱 Advanced Pattern (PRO Level)

πŸ”„ Envelope Encryption

Instead of encrypting everything directly:

  1. Generate a symmetric key (AES)
  2. Protect it with Secure Enclave / Keystore
  3. Use it for fast encryption
var encryptedKey = ProtectKeyWithBiometrics(aesKey);
var encryptedData = EncryptWithAes(data, aesKey);

πŸ”— Reference Links

πŸ” Final Thoughts

Implementing biometric encryption correctly transforms your app from secure to enterprise-grade secure. πŸ‘‰ You’re not just authenticating users…
πŸ‘‰ You’re protecting the cryptographic backbone of your application.

An unhandled error has occurred. Reload πŸ—™