[regression/8.0.0] [Maui][Android] Signature/MAC verification failed

[devWR]

Description

Since I updated to .NET8 RC2 SecureStorage.SetAsync does not work. It throws Javax.Crypto.AEADBadTagException with the following message: "Signature/MAC verification failed".
Issue reproduced using Samsung A40 with Android 11. Case happens when backup rules exclude mauiessentials.xml file.

Below you can find stacktrace:

  --- End of managed Android.Security.KeyStoreException stack trace ---
android.security.KeyStoreException: Signature/MAC verification failed
	at android.security.KeyStore.getKeyStoreException(KeyStore.java:1461)
	at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:186)
	at android.security.keystore.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:373)
	at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:506)
	at javax.crypto.Cipher.doFinal(Cipher.java:2113)
	at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decryptInternal(AndroidKeystoreAesGcm.java:118)
	at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decrypt(AndroidKeystoreAesGcm.java:101)
	at com.google.crypto.tink.KeysetHandle.decrypt(KeysetHandle.java:993)
	at com.google.crypto.tink.KeysetHandle.readWithAssociatedData(KeysetHandle.java:878)
	at com.google.crypto.tink.KeysetHandle.read(KeysetHandle.java:859)
	at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset(AndroidKeysetManager.java:378)
	at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:298)
	at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:169)
	at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130)

Steps to Reproduce

Invoke Microsoft.Maui.Storage.SecureStorage.SetAsync

Link to public reproduction project repository

No response

Version with bug

8.0.0-rc.2.9373

Is this a regression from previous behavior?

Yes, this used to work in .NET MAUI

Last version that worked well

8.0.0-rc.1.9171

Affected platforms

Android

Affected platform versions

No response

Did you find any workaround?

Yes

Issue doesn't happen when, in manifest, android:allowBackup is set to false as following:
<application android:allowBackup="false" ... >

Relevant log output

No response

[PureWeen]

@moljac

[moljac]

@devWR

Can I see your AndroidManifest.xml?

if you have

<application android:allowBackup="true" ... >

true is default I think.

try setting it to

<application android:allowBackup="false" ... >

There are also other workarounds, but I'll need to dive in deeper.

And please report whether that worked.

[ghost]

Hi @devWR. We have added the "s/needs-info" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[devWR]

Strange case. I just tested it on Samsung A51 with Android 12 and issue doesn't happen.
@moljac, I've tried your workaround and it worked, thank you.
Do you have any idea where the issue comes from? It started happening since I've upgraded to RC2. Before allowBackup was set to true. After issue started happening I added into manifest:

android:fullBackupContent="@xml/auto_backup_rules"

where auto_backup_rules is as following:

<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
  <include domain="sharedpref" path="."/>
  <exclude domain="sharedpref" path="${applicationId}.mauiessentials.xml"/>
</full-backup-content> 

[moljac]

Do you have any idea where the issue comes from?

Not completely. I checked native Android issues on SO and github and saw that as quick-n-dirty workaround. There are some other workarounds, but thosw will need deeper dives and curently I am not sure if I will have time for that.

[devWR]

Thank you for the workaround then. I believe that some solution shall be found as soon as possible because there is a number of applicaitons that need to store data securely - tokens, etc.

[cropyai]

@devWR

Can I see your AndroidManifest.xml?

if you have

<application android:allowBackup="true" ... >

true is default I think.

try setting it to

<application android:allowBackup="false" ... >

There are also other workarounds, but I'll need to dive in deeper.

And please report whether that worked.

I can confirm the issue happening in my case. The other workaround is to clear the storage and cache of the app from app settings.

[fekberg]

Same issue here but the workaround isn't working for me at all.

[RBeaubien]

I had the same issue. setting allowBackup to false fixed it for me.

[plppp2001]

Same issue here but the workaround isn't working for me at all.

I'm having the same issue, (on an actual samsung device - Release APK installation only). I'll try this workaround... not sure if it'll help.... it worked so far, but this issue needs to resolved @maui team

** UPDATE this work around worked for me so far, but I'll have to retest this again later.

[BurkusCat]

where auto_backup_rules is as following:

@devWR what backup rules did you end up using that fixed the issue? Or did you not get it resolved and needed to fully disable backup?

[BurkusCat]

How can we notify the actual documentation writer to update it?

Leonluc already submitted a GitHub issue for the docs :) dotnet/docs-maui#2167 (comment)

[moljac]

How can we notify the actual documentation writer to update it?

Issue was raised.

[figuerres]

Hello just found this, i think i am also getting hit by this.

i have a new app that when i run it for debug builds on my device i do not see a problem.
when i build a release apk for ad hoc and run it i keep getting crashes and errors.

from my sentry logs i get messages like this:

android.security.keystore2.AndroidKeyStoreCipherSpiBase in engineDoFinal at line 632
javax.crypto.Cipher in doFinal at line 2114
com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm in decryptInternal at line 118
com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm in decrypt at line 101
com.google.crypto.tink.KeysetHandle in decrypt at line 993
com.google.crypto.tink.KeysetHandle in readWithAssociatedData at line 878
com.google.crypto.tink.KeysetHandle in read at line 859
com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder in readMasterkeyDecryptAndParseKeyset at line 378
com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder in build at line 298
androidx.security.crypto.EncryptedSharedPreferences in create at line 169
androidx.security.crypto.EncryptedSharedPreferences in create at line 130

and then

KeyStoreException
Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish

Caused by:
0: system/security/keystore2/src/operation.rs:426: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED))
android.security.KeyStore2 in getKeyStoreException at line 435
android.security.KeyStoreOperation in handleExceptions at line 78
android.security.KeyStoreOperation in finish at line 128
android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream in finish at line 228
android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer in doFinal at line 181
… .security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer in doFinal at line 396
android.security.keystore2.AndroidKeyStoreCipherSpiBase in engineDoFinal at line 624
javax.crypto.Cipher in doFinal at line 2114
com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm in decryptInternal at line 118
com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm in decrypt at line 101
com.google.crypto.tink.KeysetHandle in decrypt at line 993
com.google.crypto.tink.KeysetHandle in readWithAssociatedData at line 878
com.google.crypto.tink.KeysetHandle in read at line 859
com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder in readMasterkeyDecryptAndParseKeyset at line 378
com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder in build at line 298
androidx.security.crypto.EncryptedSharedPreferences in create at line 169
androidx.security.crypto.EncryptedSharedPreferences in create at line 130

android v14
samsung galaxy 22

also i see this:

JniObjectReference StaticMethods.CallStaticObjectMethod(JniObjectReference, JniMethodInfo, JniArgumentValue*)
In App

Assembly:
Java.Interop
Version:
7.0.0.0
PublicKeyToken:
84e04ff9cfb79065
JniObjectReference JniStaticMethods.InvokeObjectMethod(string, JniArgumentValue*)
In App

Called from: ISharedPreferences EncryptedSharedPreferences.Create(Context, string, MasterKey, PrefKeyEncryptionScheme, PrefValueEncryptionScheme)

Show 2 more frames

the app wants to use secure storage for user tokens.

try to login or resume from recent session and BOOM!

i will see if the info here lets me work past this.....

[figuerres]

first test setting allow backup to false seems to stop the crash!
also note that a debug build of the same app to the same device did NOT have the problem !
so why does debug not error and release does ??

[South2AK]

@figuerres I have the error on both debug and release using MAUI 8.0.20

Also Allow Backup none doesn´t seem to be a workaround since all saved data get´s deleted after a restart of the app.

I´m having the same error when using any SecureStorage command:

[ViewRootImpl@5b71c8b[MainActivity]] ViewPostIme pointer 0
[ViewRootImpl@5b71c8b[MainActivity]] ViewPostIme pointer 1
[ViewRootImpl@5b71c8b[MainActivity]] onDisplayChanged oldDisplayState=2 newDisplayState=2
[DOTNET]    at Java.Interop.JniEnvironment.StaticMethods.CallStaticObjectMethod(JniObjectReference type, JniMethodInfo method, JniArgumentValue* args) in /Users/runner/work/1/s/xamarin-android/external/Java.Interop/src/Java.Interop/obj/Release/net7.0/JniEnvironment.g.cs:line 21452
[DOTNET]    at Java.Interop.JniPeerMembers.JniStaticMethods.InvokeObjectMethod(String encodedMember, JniArgumentValue* parameters) in /Users/runner/work/1/s/xamarin-android/external/Java.Interop/src/Java.Interop/Java.Interop/JniPeerMembers.JniStaticMethods.cs:line 165
[DOTNET]    at AndroidX.Security.Crypto.EncryptedSharedPreferences.Create(Context context, String fileName, MasterKey masterKey, PrefKeyEncryptionScheme prefKeyEncryptionScheme, PrefValueEncryptionScheme prefValueEncryptionScheme) in C:\a\_work\1\s\generated\androidx.security.security-crypto\obj\Release
et6.0-android\generated\src\AndroidX.Security.Crypto.EncryptedSharedPreferences.cs:line 227
[DOTNET]    at Microsoft.Maui.Storage.SecureStorageImplementation.GetEncryptedSharedPreferences() in D:\a\_work\1\s\src\Essentials\src\SecureStorage\SecureStorage.android.cs:line 93
[DOTNET]    at Microsoft.Maui.Storage.SecureStorageImplementation.<>c__DisplayClass6_0.<PlatformSetAsync>b__0() in D:\a\_work\1\s\src\Essentials\src\SecureStorage\SecureStorage.android.cs:line 53
[DOTNET]    at System.Threading.Tasks.Task.InnerInvoke()
[DOTNET]    at System.Threading.Tasks.Task.<>c.<.cctor>b__281_0(Object obj)
[DOTNET]    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
[DOTNET] --- End of stack trace from previous location ---
[DOTNET]    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
[DOTNET]    at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
[DOTNET] --- End of stack trace from previous location ---
[DOTNET]    at Schaden_Digital.Views.PageLogin.Button_Clicked_1(Object sender, EventArgs e) in F:\Sourcecode\Online Gutachten\Online Gutachten\Views\Login\PageLogin.xaml.cs:line 77
[DOTNET]   --- End of managed Javax.Crypto.AEADBadTagException stack trace ---
[DOTNET] javax.crypto.AEADBadTagException
[DOTNET] 	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
[DOTNET] 	at javax.crypto.Cipher.doFinal(Cipher.java:2114)
[DOTNET] 	at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decryptInternal(AndroidKeystoreAesGcm.java:118)
[DOTNET] 	at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.decrypt(AndroidKeystoreAesGcm.java:101)
[DOTNET] 	at com.google.crypto.tink.KeysetHandle.decrypt(KeysetHandle.java:993)
[DOTNET] 	at com.google.crypto.tink.KeysetHandle.readWithAssociatedData(KeysetHandle.java:878)
[DOTNET] 	at com.google.crypto.tink.KeysetHandle.read(KeysetHandle.java:859)
[DOTNET] 	at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readMasterkeyDecryptAndParseKeyset(AndroidKeysetManager.java:378)
[DOTNET] 	at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:298)
[DOTNET] 	at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:169)
[DOTNET] 	at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:130)
[DOTNET] Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
[DOTNET] 
[DOTNET] Caused by:
[DOTNET]     0: system/security/keystore2/src/operation.rs:426: Finish failed.
[DOTNET]     1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
[DOTNET] 	at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:435)
[DOTNET] 	at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
[DOTNET] 	at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
[DOTNET] 	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
[DOTNET] 	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
[DOTNET] 	at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
[DOTNET] 	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
[DOTNET] 	... 10 more
[DOTNET] Exception of type 'Javax.Crypto.AEADBadTagException' was thrown.
[ViewRootImpl@5b71c8b[MainActivity]] onDisplayChanged oldDisplayState=2 newDisplayState=2

[mmiller-d8]

To add another wrinkle to this, the documentation says:

NET MAUI automatically handles this case by removing the key so it can be reset. Alternatively, you can disable Auto Backup.

First, it doesn't handle the case because it still fails. Second, and more importantly, removing the key myself doesn't work either. It seems that calling SetValue must be attempting to read the value before setting it because the call still fails with the same exception.

@leonluc-dev Thank you for putting the complete workaround. Unfortunately for me, I still can't set secure storage values. I'm getting Signature/MAC verification failed (internal Keystore code: -30 message: In KeystoreOperation::finish

[SpikeThatMike]

Same problem as @mmiller-d8, I have done the work around @leonluc-dev posted but its crashing on
Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish

[gerhartz]

Same issue as @mmiller-d8. Seeing this exception on my Android 14 / Pixel 6a device. Building with Maui 8.0.21, NET SDK 8.0.300, Xcode 15.4

I was struggling to consistently reproduce the issue but figured out a process:

1. Launch my .net8 app
2. Run the Android Backup (Settings --> Backup --> Back up now)
3. Uninstall/Reinstall the app
4. Launch app. Any call to secure storage fails. Trying to remove keys also fails.

Clearing the app storage avoids the problem (not suggesting that as a solution). But for anyone else that feels the issue is happening randomly for them I realized that my phone does auto-backup after 2hrs of inactivity which made the problem pop up again the next time I rebuilt after clearing app storage.

[gerhartz]

A workaround I've found is to clear the shared preferences with Android code. It feels brittle and not quite a polished solution but it does enable you to get past the error and back to saving/loading data

#if ANDROID 
   var packageName = AppInfo.Current.PackageName;
   var alias = $"{packageName}.microsoft.maui.essentials.preferences";
   var preferences = AndroidApp.Context.GetSharedPreferences(alias, FileCreationMode.Private);
   preferences?.Edit()?.Clear()?.Apply();
#endif

At this point I'm not sure whether the flag FileCreationMode.Private is correct or what the side effects of this may be.

[kmiterror]

To add another wrinkle to this, the documentation says:

NET MAUI automatically handles this case by removing the key so it can be reset. Alternatively, you can disable Auto Backup.

First, it doesn't handle the case because it still fails. Second, and more importantly, removing the key myself doesn't work either. It seems that calling SetValue must be attempting to read the value before setting it because the call still fails with the same exception.

@leonluc-dev Thank you for putting the complete workaround. Unfortunately for me, I still can't set secure storage values. I'm getting Signature/MAC verification failed (internal Keystore code: -30 message: In KeystoreOperation::finish

The reason for this is that the SecureStorage GeneralSecurityException handling is broken:

maui/src/Essentials/src/SecureStorage/SecureStorage.android.cs

Lines 30 to 37 in 5bb5ed2

	catch (GeneralSecurityException)
	{
	// TODO: Use Logger here?
	System.Diagnostics.Debug.WriteLine(
	$"Unable to decrypt key, {key}, which is likely due to an app uninstall. Removing old key and returning null.");
	PlatformRemove(key);
	return null;
	}

The idea is good but calling PlatformRemove will crash in case of data being restored from cloud back-up.
The reason is that PlatformRemove (as any other SecureStorage method) relies on GetEncryptedSharedPreferences.
This method calls android nativeEncryptedSharedPreferences.Create method to de-crypt the key-store.
Since it was encrypted on another device this method will throw a java.security.GeneralSecurityException.
https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences#create(android.content.Context,java.lang.String,androidx.security.crypto.MasterKey,androidx.security.crypto.EncryptedSharedPreferences.PrefKeyEncryptionScheme,androidx.security.crypto.EncryptedSharedPreferences.PrefValueEncryptionScheme)

Why GetEncryptedSharedPreferences catches InvalidProtocolBufferException instead of java.security.GeneralSecurityException is also unclear to me.
Both MasterKey.Builder and EncryptedSharedPreferences.Create throws java.security.GeneralSecurityException.
But also just changing to proper exception won't make it work, because RemoveAll will crash again because it uses GetEncryptedSharedPreferences internally.

For regular developers consuming SecureStorage it's best to either disable auto-backup all together or selectively as @leonluc-dev described here #18230 (comment)

For microsoft developers maintaining this part of code:
In my opinion, instead of calling PlatformRemove(key) it should be handled as @gerhartz described

   var preferences = AndroidApp.Context.GetSharedPreferences(Alias, FileCreationMode.Private);
   preferences?.Edit()?.Clear()?.Apply();

This should resolve it properly for all developers.
This is hard to track down as it requires a lot of hoops: logs reading, googling, docs reading and finally connecting all the dots.
There are at least few issues on github in different flavours.
Most of them hang forever and are never resolved.

@Redth @moljac Could you have a look and resolve it?
I believe that this issue can pretty much bork the app in certain circumstances for some users.
It takes a lot of hours to track it down.
I think most end-users won't even bother to infrom app developers that the issue is there and will just out-right uninstall it.

So to summarize I think the right solution would be to change the SecureStorage.android.cs code like below:

		void PlatformRemoveAll()
		{
			var preferences = AndroidApp.Context.GetSharedPreferences(Alias, FileCreationMode.Private);
			preferences?.Edit()?.Clear()?.Apply();
		}

		ISharedPreferences GetEncryptedSharedPreferences()
		{
			try
			{
				var context = Application.Context;

				var prefsMainKey = new MasterKey.Builder(context, Alias)
					.SetKeyScheme(MasterKey.KeyScheme.Aes256Gcm)
					.Build();

				return EncryptedSharedPreferences.Create(
					context,
					Alias,
					prefsMainKey,
					EncryptedSharedPreferences.PrefKeyEncryptionScheme.Aes256Siv,
					EncryptedSharedPreferences.PrefValueEncryptionScheme.Aes256Gcm);
			}
			catch (GeneralSecurityException)
			{
				// TODO: Use Logger here?
				System.Diagnostics.Debug.WriteLine(
					"Unable get encrypted shared preferences, which is likely due to an app uninstall. Removing all keys and returning null.");
				PlatformRemoveAll();
				return GetEncryptedSharedPreferences();
			}
		}

[mmiller-d8]

Thank you for that @kmiterror I tried selectively removing the backup as in the comment you mentioned, but I'm still getting crashes when I update the app on a device. I haven't turned off all backups yet because I'm hoping they fix it. I'm not yet live, so I just delete the application data when I update it with a release build.

[kmiterror]

I tried selectively removing the backup

I think that the thing that you specify in AndroidManifest.xml just excludes the files from the backup.
Adding the "selective exclusion" will just stop the autoBackup mechanism to include this particular file in the future.

Since the file has already been restored on your device and you don't have keys to decrypt it SecureStorage.GetAsync(key); will throw exception.

So it seems that at this point you have to catch the android.security.KeyStoreException and then delete the preferences file that is storing the SecureStorage keys.

try{
var yourVar = await SecureStorage.GetAsync(key);
} catch (KeyStoreException ex) {
   var packageName = AppInfo.Current.PackageName;
   var alias = $"{packageName}.microsoft.maui.essentials.preferences";
   var preferences = AndroidApp.Context.GetSharedPreferences(alias, FileCreationMode.Private);
   preferences?.Edit()?.Clear()?.Apply();
}

So the solution is two-fold,
1, disable backup function for {packageName}.microsoft.maui.essentials.preferences file
2, delete the {packageName}.microsoft.maui.essentials.preferences file if SecureStorage throws exception during de-cryption

[mmiller-d8]

@kmiterror I did do the selective backup. Here's what I have.

<?xml version="1.0" encoding="utf-8"?> <data-extraction-rules> <cloud-backup disableIfNoEncryptionCapabilities="false"> <exclude domain="sharedpref" path="com.myapp.app.microsoft.maui.essentials.preferences.xml"/> </cloud-backup> <device-transfer> <exclude domain="sharedpref" path="com.myapp.app.microsoft.maui.essentials.preferences.xml"/> </device-transfer> </data-extraction-rules>

I also have a legacy set for older devices.

I'll try out the error handling. Thanks!

[Redth]

There's some great recommendations for working around the issues in this issue. Thanks to everyone who took the time to provide them, including @kmiterror who had a long write up on their findings, and @gerhartz who found a way to reliably reproduce the issue.

One more thing to note is that if you're using the approach to try/catch and delete the shared preferences outlined in this thread, you may want to consider the difference between Apply() and Commit(). Apply() is asynchronous and returns immediately after committing changes in memory only. Commit() is synchronous and will write the changes immediately before returning.

If you're attempting to delete the shared preferences and then immediately try creating them again, you should be using Commit() on the call to delete, otherwise you may end up in a scenario where the call afterwards to try getting the preferences again will fail since the changes aren't yet written. In theory it seems like it would be enough to have the changes in memory, however in practice I've found in my testing that this is a problem in this scenario.

So, the code I would suggest using for now while waiting for the fix to merge and be released in MAUI itself would be:

string someValue;

try
{
    someValue = await SecureStorage.GetAsync(key);
}
catch (Exception ex)
{
    var packageName = AppInfo.Current.PackageName;
    var alias = $"{packageName}.microsoft.maui.essentials.preferences";
    var preferences = AndroidApp.Context.GetSharedPreferences(alias, FileCreationMode.Private);
    preferences?.Edit()?.Clear()?.Commit();

    someValue = await SecureStorage.GetAsync(key);
}