Apex Flex IOS troubles

Alright, so i finally found someone who is willing to install the flex for me, so i went ahead and checked if i can get the features i want to work.

Fortunatly applet discovery seems to work by now, so selecting and installing them doesn’t require manual codes anymore.

Now, when i try to install either the FIDO2 or U2F app, i get this message:

With the U2F it instantly throws an conection error in addition, with the FIDO2 it gives a checkmark like this:

And that, even when my Apex doesn’t have anything installed. Detecting installed applets works by now, with other ones i can install, even when removing it from the app and rediscovering it.

Now i have tried to install applets manually in the past, but removed them all again, and now again just to be sure.

Now another issue i had, was to discover that the OTP password applett (which i was able to install) isn’t compatible with the yubi-key app anymore, and neither is the HMAC-SHA1 Generator. After searching the forum, i saw the post explaining that it is due to the added security functionallity of a read-password, which is great, however what’s not great is that neither the VivoKey Authenticator app, nor the APEX manager app is avivable on IOS, so i can’t use the Apex for OTP passwords this way either. (The other beeing FIDO2 + Token Companion app).

I urge you to either release those apps for IOS, or release a legacy applet version that works with yubi-key.

NDEF works fine, but i sadly can’t find any documentation on the applets github, on how to change the tags serial number/ id.

On an unrelated note, my Apex seems to have become a bit brown around the edges, which i don’t remember beeing the case about 4-5 months ago, when i got it. But maybe it’s just the paper reflecting the yellow edges, and playing a trick on my eyes. Is this a cause for concern?

So yeah, i hope someone knows a way to get OTP to work on IOS, i would be very thankfull.
Let me know if i should run some additional tests.

First thanks for the long write-up. Before you do anything else, can you turn on debug information in settings so you can see your device’s Fidesmo ID and DM that to me (don’t post publicly)? I will contact Fidesmo about it so we can look into it further… and please don’t try anything else at this point until we can have a look at the logs on the Fidesmo side.

actually we did update the OTP applet to use the Yubikey AID … so it should work… we’ll need to do more testing on iOS

So it’s simply as if there is no chip at all, it just keeps beeing in the scanning mode. With HMAC it says that there is some missing functionallity, or something like that, i can’t quite remember. Other apps like TOKEN2 Companion can read the OTP applet, but throw an error as expected.

I have an iPhone 12 with IOS 14.8 installed by the way.

ok thanks that is important info.

So from Fidesmo, this is what they said;

U2F : applet gets successfully installed, but we get a client failure when trying to send any personalization APDU. The error says “Missing required entitlement”. Quick googling shows that iOS app might be lacking some permission (might be wrong as well as our iOS team is on holidays so can’t verify). Strange that we have never encountered that before, maybe iOS detected installed U2F somehow and now requires it. I will discuss that with our front-end team, likely we will have to test it ourselves as well.

Fido2 : here we are failing when tyring to create a complementary SSD for the applet with ‘6A80’. I assume this could be the result of some previously failed installation attempts that we haven’t cleaned for some reason. I suggest running ‘destroy’ service manually, to ensure that chip is clean. Also if my previous assumption is correct and U2F applet somehow triggers this “Missing entitlement” error then it might also fail other deliveries on iOS, but running destroy on Android could solve the issue.

So basically you may have a U2F or FIDO2 applet that is “half deployed” on the chip and you will need to run through a manual destroy process in order to fix it. To do that, you would need to turn on manual service deployment under settings, then when you scan your Apex and see the list of applets deployed there should now be a little icon up at the top of the app screen that will take you to the manual service screen. There it will ask for application ID and service ID. The app ID is cc68e88c and the service is destroy

Tap your Apex and it should remove any half-deployed FIDO/U2F applets on the chip.

Well, the thing is i already tried that
I have tried to install it manually in the past, but also manually ran the destroy option for all applets i had installed before trying to install anything new. Unfortunately i don’t have access to an android device right now.

EDIT: Alright i tried it again with debug logs turned on, same result. Will pm you the debug logs.

Alright, i had some success! After updating to IOS 16.4.1 i was able to install the U2F applet, however the TOKEN2 applet still throws an error.
Unfortunately no app i tested was able to write any authentication tokens, or read the tag in general. .
By the way, i have the same error as TOKEN2 when trying to install the SmartPGP applet.
Only having the OTP authenticator installed, still makes it undetectable to the yubi key.

Sorry do you mean fido2?

Also just to double check but you’re not trying to install fido2 and u2f at the same time right? You can only have one of those applications on the chip at a time. They both use the same AID and therefore you cannot have both on the chip at once.

Ah yeah it’s fido2, my bad. And yes, i made sure to uninstall it first.