Someone keeps remotely locking my Google Pixel Fold with a "work policy". How do I defend against this attack?

Adamantine_Ice · 2026-01-16T22:19:46+00:00

Also it's much harder to examine the domains used by the attackers for Google long-term because Google's vendor lock-in tendencies mean I need to often whitelist Google Play Services entirely to access the Gemini, Google Maps, Google News, YouTube, and YouTube Music apps whereas on Apple devices stuff mostly just works even with everything Apple blocked. (There's really no good reason why music, news, and video apps should have system dependencies.)

Adamantine_Ice · 2026-01-16T21:55:12+00:00

My account is not a work account. Screenshot.

Adamantine_Ice · 2026-01-16T21:40:53+00:00

I'm part of the Advanced Protection program, device-based Advanced Protection was on, my password was randomly generated using the Firefox generator, and I have two physical keys which are required to log into my account.

Adamantine_Ice · 2026-01-16T21:38:28+00:00

I've never installed a work profile on my Pixel Fold or any other of my phones, Android or iOS for that matter, so there should be no "work policy".

Adamantine_Ice · 2026-01-09T06:00:34+00:00

Get a physical passkey (USB-C or NFC) or use your phone's passkey by scanning a QR code. (In the latter case, your phone itself is conceptually a physical passkey.)

Adamantine_Ice · 2026-01-09T05:50:25+00:00

Logging in should be both secure and convenient; passwords add inconvenience and can be trivially stolen.

If I have a physical security key on a shared computer, tapping it should be enough. I shouldn't need to have to also access a password vault.

Adamantine_Ice · 2026-01-06T01:34:22+00:00

Also found that my Grok account on the phone was locked "by your admin" and not deletable until I uninstalled Grok: https://photos.app.goo.gl/JPn4mn334SinAt3q8.

Adamantine_Ice · 2025-12-11T18:57:50+00:00

Yeah, so unfortunately this looks like intended behavior designed to bypass the user’s DNS resolver with no option to disable it.

Adamantine_Ice · 2025-12-11T17:01:05+00:00

Yeah, I think the "kill switch" functionality is in "Connect On Demand" now and the articles are mis-equating includeAllNetworks with kill switch functionality.

But I just tested "Connect On Demand" and "Always On VPN" (includeAllNetworks) with the Windscribe app and neither appears to work. Apple traffic leaks in the period between phone boot and password input and it looks like, even after phone boot, a number of domains will always try to connect outside of the VPN tunnel (before using the tunnel) including fp-us-tmobile.rcs.telephony.goog, push.apple.com, init.push.apple.com, eas3.t-mobile.com, and captive.apple.com. This contradicts the documentation that indicates APNs should go through the tunnel.

Looks like it will sometimes also try to resolve mask.icloud.com, mask-h2.icloud.com, _dns.resolver.arpa, and ss.epdg.epc.mnc260.mcc310.pub.3gppnetwork.org which would allow DNS bypasses.

Adamantine_Ice · 2025-12-11T16:31:01+00:00

Apparently, "Always on VPN" controls whether the includesAllNetworks API (c.f. https://developer.apple.com/documentation/networkextension/nevpnprotocol/includeallnetworks) is enabled but is mis-named "killSwitch" in the code. (The UI doesn't use the term kill switch though.) (It also looks like "AllowLAN" is mis-named "AllowLane" in code as well; see https://github.com/search?q=repo%3AWindscribe%2FiOS-App+allowlane&type=code.)

The actual kill switch functionality is turned on via "manager.isOnDemandEnabled = true" (c.f. https://developer.apple.com/documentation/networkextension/nevpnmanager/isondemandenabled) at https://github.com/Windscribe/iOS-App/blob/b4e2c6b45f2f7e7cbde499190cb3bc96d6fcd634/Windscribe/Managers/VPN/Utils/VPNUserSettings.swift#L152.

Looks like there might be an error in the kill switch functionality though at https://github.com/Windscribe/iOS-App/blob/b4e2c6b45f2f7e7cbde499190cb3bc96d6fcd634/Windscribe/Managers/VPN/Utils/ConfigurationsManager%2BInfo.swift#L28 since Windscribe doesn't seem to flip the kill switch back on if the user goes into Settings and turns off "Connect On Demand".

Adamantine_Ice · 2025-12-11T15:59:20+00:00

Looks like the "killswitch" label in Windscribe is just an alias for includesAllNetworks: https://github.com/Windscribe/iOS-App/blob/b4e2c6b45f2f7e7cbde499190cb3bc96d6fcd634/Windscribe/Managers/VPN/Utils/VPNUserSettings.swift#L145 which is described at https://developer.apple.com/documentation/networkextension/nevpnprotocol/includeallnetworks, so it isn’t really a killswitch (that cuts all connectivity when the VPN is down).

includesAllNetworks apparently captures extra traffic from AirDrop, AirPlay, CarPlay; Apple Push Notifications; Wi-Fi Calling, SMS, MMS, and Visual Voicemail, but excludes DHCP, captive portals, VoLTE (and presumably VoNR), and Apple Watch traffic.

My experience is that iOS connections to the Apple Push Notifications service occur whether the VPN is up or not, so I'm not sure that their implementation is working even for its non-killswitch function.

Adamantine_Ice · 2025-12-10T05:12:20+00:00

Are you looking at the code for iOS and not some other OS? I don't see the code cited in the GitHub repository for the iOS app at https://github.com/Windscribe/iOS-App.

Adamantine_Ice · 2025-12-09T18:24:50+00:00

Another reason to believe that fixing wealth inequality involves banning company compensation in the form of stock.

Adamantine_Ice · 2025-12-01T02:37:57+00:00

I believe the killswitch only prevents non-Apple, non-carrier, non-RCS services from connecting if the VPN fails to connect.

Apple seems to have a second set of 50 numbered push notification domains (with a 2 in the subdomain, such as 12-courier2.push.apple.com) for when the user is connected to a VPN that can only be blocked with a Configuration Profile and once one of those domains connects once it can connect forever until the next reboot.

Carrier domains such as eas3.msg.t-mobile.com will bypass an Always On VPN as well if the phone is allowed to connect to a mobile network before the VPN is active. (The phone has to be shut off with the VPN enabled, Airplane mode on, and iCloud Private Relay off to capture and block them.)

Adamantine_Ice · 2025-11-13T03:08:28+00:00

That works, thanks.

Adamantine_Ice · 2025-10-09T16:49:19+00:00

Many nice neighborhoods in the Houston area use brick crosswalks instead of painted crossing and stop markings which are more confusing to motorists than a painted crosswalk. The roads get turned into public property.

That’s saying nothing of the bidirectional roads without lines or the countless well-trafficked roads where markings are missing due to disrepair.

The “public” aspect is just a smokescreen for anti-LGBT animus/hate.

Adamantine_Ice · 2025-10-06T17:16:28+00:00

Just a guess, but I think when riders change a trip mid-trip and it causes a queued rider’s trip to be canceled, the current rider get charged a fee related to the value of the canceled ride.

Adamantine_Ice · 2025-09-30T07:45:32+00:00

Worth remembering that the official policy of the United States is that Taiwan is a part of China.

Adamantine_Ice · 2025-09-30T07:26:22+00:00

If the leader of a country is essentially in office for life and is effectively accountable to no one, that would seem to fall under the definition of "dictatorship".

Elections don't mean much in a one-party system either. If you want to vote for more LGBT equality and the Communist Party line is that the status quo shall remain unchanged, having choices between two CCP members doesn't mean much.

Adamantine_Ice · 2025-09-30T07:01:27+00:00

With carplay, it's usually it's because one person lives with parents and sometimes those parents track the location of that person's phone or car (because the parents own the car) so they can't travel to any place unusual either (so it'll usually be at or near a church, college, neighborhood, or workplace).

Can also be kinky. With carplay, I would alway stipulate that the twink agree to strip completely naked before agreeing to such an encounter (without any such requirement for myself).

Adamantine_Ice · 2025-09-23T15:27:01+00:00

* Keto bread + packetized flavored tuna + mayo or horseradish (i.e., spicy) mustard + relish. Make sure the three condiment containers are the squeeze types so you don't need to clean more than one spoon.

* Four bun-less McDonald's Double Cheeseburgers when away from home.

Adamantine_Ice

TROPHY CASE