Apex Flex IOS troubles

Alright, so i finally found someone who is willing to install the flex for me, so i went ahead and checked if i can get the features i want to work.

Fortunatly applet discovery seems to work by now, so selecting and installing them doesn’t require manual codes anymore.

Now, when i try to install either the FIDO2 or U2F app, i get this message:

With the U2F it instantly throws an conection error in addition, with the FIDO2 it gives a checkmark like this:

And that, even when my Apex doesn’t have anything installed. Detecting installed applets works by now, with other ones i can install, even when removing it from the app and rediscovering it.

Now i have tried to install applets manually in the past, but removed them all again, and now again just to be sure.

Now another issue i had, was to discover that the OTP password applett (which i was able to install) isn’t compatible with the yubi-key app anymore, and neither is the HMAC-SHA1 Generator. After searching the forum, i saw the post explaining that it is due to the added security functionallity of a read-password, which is great, however what’s not great is that neither the VivoKey Authenticator app, nor the APEX manager app is avivable on IOS, so i can’t use the Apex for OTP passwords this way either. (The other beeing FIDO2 + Token Companion app).

I urge you to either release those apps for IOS, or release a legacy applet version that works with yubi-key.

NDEF works fine, but i sadly can’t find any documentation on the applets github, on how to change the tags serial number/ id.

On an unrelated note, my Apex seems to have become a bit brown around the edges, which i don’t remember beeing the case about 4-5 months ago, when i got it. But maybe it’s just the paper reflecting the yellow edges, and playing a trick on my eyes. Is this a cause for concern?

So yeah, i hope someone knows a way to get OTP to work on IOS, i would be very thankfull. :slight_smile:
Let me know if i should run some additional tests.

First thanks for the long write-up. Before you do anything else, can you turn on debug information in settings so you can see your device’s Fidesmo ID and DM that to me (don’t post publicly)? I will contact Fidesmo about it so we can look into it further… and please don’t try anything else at this point until we can have a look at the logs on the Fidesmo side.

actually we did update the OTP applet to use the Yubikey AID … so it should work… we’ll need to do more testing on iOS

So it’s simply as if there is no chip at all, it just keeps beeing in the scanning mode. With HMAC it says that there is some missing functionallity, or something like that, i can’t quite remember. Other apps like TOKEN2 Companion can read the OTP applet, but throw an error as expected.

I have an iPhone 12 with IOS 14.8 installed by the way.

ok thanks that is important info.

So from Fidesmo, this is what they said;

U2F : applet gets successfully installed, but we get a client failure when trying to send any personalization APDU. The error says “Missing required entitlement”. Quick googling shows that iOS app might be lacking some permission (might be wrong as well as our iOS team is on holidays so can’t verify). Strange that we have never encountered that before, maybe iOS detected installed U2F somehow and now requires it. I will discuss that with our front-end team, likely we will have to test it ourselves as well.

Fido2 : here we are failing when tyring to create a complementary SSD for the applet with ‘6A80’. I assume this could be the result of some previously failed installation attempts that we haven’t cleaned for some reason. I suggest running ‘destroy’ service manually, to ensure that chip is clean. Also if my previous assumption is correct and U2F applet somehow triggers this “Missing entitlement” error then it might also fail other deliveries on iOS, but running destroy on Android could solve the issue.

So basically you may have a U2F or FIDO2 applet that is “half deployed” on the chip and you will need to run through a manual destroy process in order to fix it. To do that, you would need to turn on manual service deployment under settings, then when you scan your Apex and see the list of applets deployed there should now be a little icon up at the top of the app screen that will take you to the manual service screen. There it will ask for application ID and service ID. The app ID is cc68e88c and the service is destroy

Tap your Apex and it should remove any half-deployed FIDO/U2F applets on the chip.

Well, the thing is i already tried that :confused:
I have tried to install it manually in the past, but also manually ran the destroy option for all applets i had installed before trying to install anything new. Unfortunately i don’t have access to an android device right now.

EDIT: Alright i tried it again with debug logs turned on, same result. Will pm you the debug logs.

1 Like

Alright, i had some success! After updating to IOS 16.4.1 i was able to install the U2F applet, however the TOKEN2 applet still throws an error.
Unfortunately no app i tested was able to write any authentication tokens, or read the tag in general. . :confused:
By the way, i have the same error as TOKEN2 when trying to install the SmartPGP applet.
Only having the OTP authenticator installed, still makes it undetectable to the yubi key.

Sorry do you mean fido2?

Also just to double check but you’re not trying to install fido2 and u2f at the same time right? You can only have one of those applications on the chip at a time. They both use the same AID and therefore you cannot have both on the chip at once.

Ah yeah it’s fido2, my bad. And yes, i made sure to uninstall it first.

Hi - I’m also having some IOS troubles.

Apex Flex installed and working OK with Fidesmo :ok_hand:
I can install apps via Fidesmo :ok_hand:
I can setup FIO Security with either FIDO2 or UDF :ok_hand:
I can’t find any IOS apps that will work for FIDO security to look at OTP’s?
Tried a few including Token2 and yubico?

FIDO is not OTP… they are different things. Did you deploy the OTP applet to the Apex?

Thanks Amal - sorry meant 2FA, i did install the OTP app but could find an IOS app to work with it ?

ah ok… so yeah I believe iOS does not work with U2F, only FIDO2. For MacOS or other devices, you will need a PC/SC compliant reader attached to your computer and probably some supporting PC/SC libraries like pcsclite

OSX ships with a native version of pcsclite customized by Apple, so a PC/SC stack is available (which I for example use for HMAC-SHA1 in KeePassXC for the Mac OSX build).

iOS supports FIDO2 only, but also has native support in e.g. Safari.

Good day, have there perchance been any updates from fidesmo regarding the fido2 applet?

We have been able to mimic the issue on iOS reliably so they are making adjustments to the deployment scripts on their side. Update should be live by Friday next week.

The problem is still that iOS is cutting off communications in the middle of deployment because it does a hard cutoff of all NFC communications at the 20 second mark.

At the moment, any deployment issues for any applets on iOS should follow these rules;

  1. limited retry attempts (2 or 3 max)
  2. submit screen recordings of the failure to the thread, or if your Fidesmo device ID is visible, submit to me directly via DM (or block it out or crop the video accordingly).
1 Like

So i just remembered the apex sitting somewhere in a cupboard, and tried loading the FIDO2 applet again, using the latest version of the Fidesmo app.

However, unfortunately it still didn’t work: (12:30 CET)

The apex was pretty much empty. Right after, i deployed a 16kB nfc share, sucessfully, so space shouldn’t really be an issue.

Thank you for your support last time.

I belive you still have my fidesmo id, tell me if you need anything else to troubleshoot.

Ah whoops, browsed a bit and found a duplicate here: Apex Flex FIDO Setup - Going Passwordless - #13 by Xandie

Can you tell me the process or do a screen recording?

Clipboard 29.11.2023, 11.55.txt (85.9 KB)

1 Like