flexSecure product release

For developers wanting to explore in vivo java card applications without the Fidesmo framework, we have a new product for you! The flexSecure is now officially released!

While there is no official direct support for the flexSecure, this forum category (Support → flexSecure Support) is meant to provide a community support mechanism concerning its use and operation.

A collection of various applications and documentation regarding the flexSecure is available via GitHub repo at;

14 Likes

So this is the same chip as the Apex just “unlocked” correct?

1 Like

correctamundo-pulp-fiction

“The flexSecure uses a SmartMX3 P71 chip from NXP”

2 Likes

The Apex and flexSecure use the same chip, but in a different configuration and setup. Read flexsecure-applets/2-hardware.md at master · DangerousThings/flexsecure-applets · GitHub for the details and pros / cons of each.

1 Like

wohoo

the privacy crowd will be very pleased :3

1 Like

Yup, all 40 of them :sweat_smile:

9 Likes

“We want user controlled crypto keys in their bodies for best security & privacy”
“Users who don’t want to download applets from some companies server are rare”
Hmm :thinking:

I guess we’ll see what gets more attention in the end.
I hope this forum makes using this very easy, develops some needed tooling and documentation.

Depending how far these apps go this is what would intice me. Much more interested in this than apex purely because i dont want to trust fidesmo

1 Like

May I ask why? Just generally don’t want to trust anyone except yourself or? Don’t feel obligated to answer if you don’t want to :+1:

I get this. I don’t want to trust fidesmo with a large portion of functionality of a device implanted inside my body. I know that even flex implants can be removed “easily” but I don’t wanna have to remove it because a company stopped supporting it if otherwise it would work fine

1 Like

I feel the same way. I try not to use cloud services and host or create everything locally when I can. I like having a good balance of privacy and security.

I don’t trust Fidesmo either, but I want wider adoption of this technology. The only way to get there is through implantable payment. It’s the only thing people care about (other than maybe health data). Fidesmo or whatever “legitimate” company can enable that to happen is where we want to be. I get wanting to control the keys for yourself, and I’m happy everybody who wants it can have that now. Unfortunately most people are technically and security/privacy illiterate, so we’ll always be on the scale of a few dedicated biohackers on a path like this.

2 Likes

One reason is Fidesmo has changed over the years, becoming more consumer / b2b focused rather than purely technology focused. Part of this transition has meant that documentation of their platform has become more limited, it is almost impossible to get help from them as an individual. One major issue people have had is there is no successful way for an individual to get a developer account with them, and as such you cannot run your own code on the Apex Flex. Even developers who previously had a Fidesmo account but have lost access have been unable to reinstate their access.

In addition there are a few concerns that are likely to not be an issue due to implanted device’s form factor - whilst Fidesmo controls the keys I believe that it is the device’s ID itself that is used to manage it - as such there is limited ability to stop someone else from deleting or adding applets on it if they have physical access to the device, which is an issue when you have 2FA applets / high security things on it.

Overall, I don’t blame Fidesmo for the direction they’ve gone - dealing with EMV is hard, and generally big businesses are going to be more profitable. For people that just want something that works, it’s perfect, and third party companies (e.g. transport services) can easily make applets that are securely and easy to distribute. It’s a trade-off between what the niche technology focused biohackers want and what the public will use

2 Likes

Now I’m wondering if you could do that and replace an applet with a old version with known vulnerabilities.

Also lets see how long this stays like this… maybe they add some other auth in the future.

Can only speak for myself but it’s risk management. I want payments so I have a real Apex, but for real high security stuff, I dont want fidesmo + any rouge employee + their fiances with access to the laptop + their server hosters + their fucking facility manager and so on to theoretically be able to hack me, or get fidesmo and thus me hacked.

I think this is a valid concern. It’s not that I find it super likely it happens this way. But what if fidesmo gets ransomwared, whoops masterkeys are lost and you cant indtall applets. It’s just something to avoid ideally. But then, no payments, no possibility for eID, insurance card…

1 Like

Can i convert the apex to flex secure?

No.
There are rumors that this may be possible one day. But we’ll see.

The change of fidesmo from a tech based company to a b2b consumer focused platform and there reluctance now to share developer access and documentation.

That on top of me not really wanting to have someone else have keys for something in my body.

In defense of Fidesmo, you can still get a developer account, you just have to e-mail them and explain your use case. Still, not as simple as previously where you could just sign up. They have also been very cooperative and helpful in their partnership with Vivokey, so I trust that they have good intentions, and I trust that they don’t intentionally mess up their own systems.

However, and that is the one of the reasons I conceived the flexSecure, I agree with @Devilclarke - I want control over the tech an keys I put in my body. As an open-source enthusiast and supporter of the hacker ethic, I believe in Kerckhoffs’s principle - that is your cryptographic systems security should only depend on knowledge of the secret key, and not any other arbitrary protections or obfuscations. Even disregarding malware supply chain attacks, I also worry about the potential of Fidesmo or even Vivokey going out of business in a decade? two decades? you never know. Call it paranoia, I call it independence.

I maintain a Repository of open-source applets for use with the flexSecure, (which are by the way the very same which are packaged for the Apex), because I believe everyone should be able to verify and modify software, especially the software they put into their bodies.

Fidesmo offers you a trade-off - enterprise trust vs. direct control. Even though it is unclear if the Apex will be able to eventually make payments in the future, the base functionality is there. The flexSecure will never be able to make payments (cryptocurrencies excluded), because no payment processor will allow their applets to run on an open platform, that is just how business works. In exchange, the flexSecure has more internal storage space - because the payment applet is missing. There might also be cases in the future where third parties (e.g. metro cards) will require a secure, trusted environment - i.e. the Apex. Fidesmos app-store also functions as a very user-friendly way of managing applets, without the risk and challenges of commandline tools and key management.

So in the end, it is about choice. Everyone is free to pick whichever product is right for them and their use case, the flexSecure happens to cover mine. I still work to push the ecosystem further on the Apex as well, because again, it’s all about choice.

9 Likes

Well said @StarGate01

Geez, I’m not even sure where the negativity is coming from with Fidesmo and Vivokey Apex.

I don’t have any reason not to trust either of them, even in the “what if” scenarios, I’m sure those of you with the trust issues, are smart / paranoid enough to hold backups elsewhere for the worst case scenario.

Also I’m pretty sure a number of you reading this also have:-
Google accounts :pirate_flag:
FakeBook :-1:
Narcisstagram :camera_flash:
Tweeter :bird:
CrapChat :ghost:
ShitTok :musical_note:
etc. …

I personally trust Fidesmo and Vivokey Apex over ALL of those data collectors, and I have no reason to think otherwise.

security and convenience are inversely proportional
To me, I see the FlexSecure and the Vivokey Apex at the same end of the scale, with Vivokey Apex being slightly less secure (Fidesmo controls the keys) but it is also more convenient ( “Applet store”) and still a very good viable secure option.

I know I have a ApexFlex and I also have a strong interest in cognitive biases; in that I am aware of Choice Supportive Bias, So just because I have one, doesn’t mean I think “my” choice is correct or the only choice.

I am also aware of how detrimental The Bandwagon Effect can be (another bias)
All this HATIN’ on a theoretical risk…WEIRD and It certainly doesn’t help Vivokey to continue to improve and develop for the APEX

AGREED, And, one of those being
image

Infact, I may even get a FlexSecure in my next order, But that doesn’t mean I trust my ApexFlex any less, It just means I have another option…

5 Likes

Very happy to see it, less tech savvy people I talk to only seem to care about payments, while professionals don’t want to put trust in a third party. This solves the latter nicely.

2 Likes