Understanding the New Cryptographic APIs in Window Phone Mango


With the launch of Windows Phone Mango, Microsoft introduced over 500 new features, one of which was a set of new cryptographic APIs that developers can use in their applications to store credentials. The credentials can now be stored in an encrypted fashion that reduces the risk associated with an unencrypted environment like isolated storage.

With the new cryptographic APIs, a user's confidential data (e.g. login credentials to a social networking site) can be encrypted instead of keeping it in plain-text inside isolated storage.

The new Data Protection API (DPAPI) allows applications to store confidential data like phone PINs, connection strings and passwords in an encrypted form.

System.Security.Cryptography namespace has a class, ProtectedData, which provides Protect and Unprotect methods that can be used to exercise the Data Protection API.

The Protect API is used to encrypt the data and the Unprotect API is used to decrypt.

The Protect and the Unprotect API have the following signature,

public static byte[] Protect(
         byte[] userData,
         byte[] optionalEntropy
public static byte[] Unprotect(
         byte[] encryptedData,
         byte[] optionalEntropy

The entropy parameter can be used to specify increased complexity of encryption. If entropy is specified for Protect API for some data, the same value will need to be specified when the Unprotect API is called on the encrypted data to decrypt it.


Let us create a simple Windows Phone application that uses these cryptographic APIs.

Create a new Windows Phone application called WPCyrptoDemo.

Create a new Windows Phone application
Figure 1: Create a new Windows Phone application

When prompted for OS version, select 7.1

Select the Windows Phone Platform
Figure 2: Select the Windows Phone Platform

Add a checkbox, a textbox and a Button, as shown in the picture below.

Add a checkbox, textbox and button
Figure 3: Add a checkbox, textbox and button

The corresponding XAML code is shown below:

<!--ContentPanel - place additional content here-->
        <Grid x:Name="ContentPanel" Grid.Row="1" Margin="12,0,12,0">
            <Button Content="Login" Height="72" HorizontalAlignment="Left" Margin="121,254,0,0" Name="buttonLogin" VerticalAlignment="Top" Width="160" />
            <CheckBox Content="First Time" Height="72" HorizontalAlignment="Left" Margin="116,174,0,0" Name="checkBoxFirstTime" VerticalAlignment="Top" />
            <TextBlock Height="30" HorizontalAlignment="Left" Margin="92,129,0,0" Name="textBlock1" Text="PIN" VerticalAlignment="Top" Width="66" />
            <TextBox Height="72" HorizontalAlignment="Left" Margin="159,110,0,0" Name="textBoxPIN" Text="" VerticalAlignment="Top" Width="179" MaxLength="4">
            <TextBlock Height="30" HorizontalAlignment="Left" Margin="179,69,0,0" Name="textBlock2" Text="Enter PIN" VerticalAlignment="Top" Width="189" />

On the code-behind file, add a using statement to include System.IO.IsolatedStorage and System.Security.Cryptography namespace.

// MainPage.xaml.cs
using System.Security.Cryptography;
using System.IO.IsolatedStorage;

Now, add a local variable of type byte[].

public partial class MainPage : PhoneApplicationPage
        byte[] encryptedPINArray;

Implement two helper functions to store and retrieve the pin from encrypted state.

void StorePin(string text)
            byte[] pinArray = Encoding.UTF8.GetBytes(text);
            encryptedPINArray = ProtectedData.Protect(pinArray, null);
        string GetPin()
            byte[] unencryptedPINArray = ProtectedData.Unprotect(encryptedPINArray, null);
            return Encoding.UTF8.GetString(unencryptedPINArray, 0, unencryptedPINArray.Length);

Finally, implement the Click handler for the Login button. Our login algorithm is as under: When the First Time checkbox is checked, the PIN will be set. When the checkbox is unchecked, it will decrypt the encrypted PIN and compare to what we entered. If the comparison succeeds, the status message will be updated to reflect that the login was successful.

        private void buttonLogin_Click(object sender, RoutedEventArgs e)
            if (textBoxPIN.Text.Length != textBoxPIN.MaxLength)
                textBlockStatus.Text = "Enter a PIN of 4 characters and click Login to continue";
            if ((bool)checkBoxFirstTime.IsChecked )
                textBoxPIN.Text = "";
                textBlockStatus.Text = "PIN created";
                string storedPin = GetPin();
                if (textBoxPIN.Text == storedPin)
                    textBlockStatus.Text = "Login Successful";
                    textBlockStatus.Text = "Login Unsuccessful";

Now, compile and execute the application. When using the application for the first time, make sure the checkbox "First time" is checked, so that we can store the PIN for the first time. When we enter the PIN subsequently, the application will compare the PIN with the stored PIN.

If you are having trouble following along, you can download a copy of sample code below.


In this article, we learned about how we can use the new cryptographic APIs in a Windows Phone Mango application. I hope you have found this information useful.

This article was originally published on February 6th, 2012

About the Author

Vipul Vipul Patel

Vipul Patel is a Software Engineer currently working at Microsoft Corporation, working in the Office Communications Group and has worked in the .NET team earlier in the Base Class libraries and the Debugging and Profiling team. He can be reached at vipul_d_patel@hotmail.com

Related Articles


Most Popular Programming Stories

More for Developers

RSS Feeds

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date