Hi all, I’m not a developer, but I’m hoping someone with iOS system or network experience can help me understand some very persistent and unusual behavior on my iPhone. I’ve gathered system logs and app-level diagnostics and would really appreciate insight from anyone familiar with daemons, VPN tunnels, or MDM behavior on Apple platforms. Summary of Issues Over Time March 2025: Most apps begin logging out automatically when closed April 2025: Passwords across apps and browsers begin failing May–June 2025: Gmail password reset emails stop arriving (even though other email works) These symptoms suggest something affecting secure sessions, DNS routing, or background data handling. I began running diagnostics and found unexpected system and network behaviors: Examples: com.apple.mobile.lockdown.remote.trusted file_relay.shim.remote pcapd.shim.remote webinspector.shim.remote bluetooth.BTPacketLogger.shim.remote On a normal, non-jailbroken device, I wouldn't expect so many .shim.remote or .diagnostic services to be active. Is this expected on iOS 18.5? The binary /usr/sbin/scutil appears to be missing. This breaks commands like: scutil --dns scutil --proxy scutil --nc list On a standard iOS device, is it even possible for scutil to be removed or disabled? App Behavior and Config Locking (Cloudflare WARP Log) From the logs of the Cloudflare WARP app (not enterprise-managed): The app repeatedly forces VPN tunnels to reconnect or restart by injecting dummy URLs (force OS to restart the network extension process). It tries to load policy configuration from MDM and Teams APIs (even though no MDM appears in Settings). Many config items are marked as: locked: true, visible: true including: DNS logs Fallback DNS Trusted WiFi settings The account is labeled as: WarpAccountRole.child which may explain some restrictions — but I’ve never set this manually. This seems more advanced than what the standard WARP app does. Could a provisioning profile or side-loaded config be applying these? Key Questions for the Community Are ~50 remote diagnostic services (.shim.remote) normal on iOS 18.5 stock devices? Could a VPN app (e.g. WARP) or hidden config enforce flow-switching across interfaces like ipsec, awdl, and pdp_ip, even when not visibly active? Can a provisioning profile or managed config enable services like file_relay, pcapd, or webinspector silently — without any visible MDM profile? Has anyone seen scutil or other network tools missing on a stock iPhone? What could cause this? Does WARP in MASQUE mode normally lock DNS settings and force tunnel restarts — or could this indicate tampering? If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd love to compare. Happy to share sanitized logs or run more tests if helpful. Thank you for any insights — especially from those familiar with internal services, VPN frameworks, or supervised profiles. get-network-info.txt remotectl_dumpstate.txt assetsd.diskwrites_resource-2025-06-25-221428.json More network info.txt linkText](https://www.example.com/)

O v er the past few months, I’ve been experiencing persistent, abnormal behavior on my iPhone. Here's a short timeline: March 2025: Most apps log me out every time I close them. April 2025: Stored passwords suddenly begin failing across apps and websites. May–June 2025: Password recovery emails from Gmail accounts no longer arrive — suggesting that Gmail itself may be compromised or blocked/intercepted. Given the escalation, I ran several diagnostics and extracted system-level logs. Below is a structured summary of findings that point toward potential remote access, network traffic rerouting, and possibly hidden use of Bluetooth or debugging interfaces. ##1 Source: remotectl_dumpstate.txt More than 50 remote lockdown and diagnostic services are listed as active. Notable entries: com.apple.mobile.lockdown.remote.trusted and .untrusted com.apple.mobile.file_relay.shim.remote com.apple.webinspector.shim.remote com.apple.pcapd.shim.remote com.apple.bluetooth.BTPacketLogger.shim.remote com.apple.mobile.insecure_notification_proxy.remote This volume of .shim.remote and diagnostic services appears highly irregular for a non-debug, non-jailbroken device. 2. Skywalk Network Flows and Unusual Routing Source: skywalk.txt Dozens of flowswitch entries across interfaces like: ipsec0-7, pdp_ip0-2, en0-2, awdl0 Apps such as Gmail, ChatGPT, Preferences, and com.apple.WebKit are marked as defunct, yet persist in flow tables. Two specific daemons — replicatord and siriactionsd — appear on nearly every interface, in both QUIC and TCP6 traffic. skywalkctl flow-route shows multiple external IP paths, with flows routed through ipsec7, owned by kernel_task.0 — which could indicate system-level tunneling. 3. System Anomalies and Resource Behavior Inaccessible System Network Tools Source: get-network-info.txt All scutil calls fail (/usr/sbin/scutil does not exist). This blocks access to: DNS configuration (scutil --dns) Proxy and VPN status (scutil --proxy, --nc list) Reachability checks (scutil -r www.apple.com) Key Questions for the Developer Community Are >50 remote .shim.remote services typical on iOS 18.5 (release build)? Or does this suggest tampering, an MDM configuration, or debug provisioning? Could a misconfigured VPN or MDM profile enable persistent flow-switching across multiple interfaces (e.g., ipsec, pdp, awdl) and reroute app traffic such as Gmail? Is it possible for a test or developer certificate to silently side-load a background daemon, or trigger services like pcapd or file_relay, without showing in Profiles or Settings? Has anyone else seen the scutil binary missing or inaccessible on a stock iPhone? Could this be a sign of intentional lockdown or system modification? If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd like to compare the service count and see if this behavior is reproducible. I’d appreciate any insight from those familiar with Apple’s system daemons, skywalk internals, or network service behavior. Happy to share sanitized logs or run additional diagnostics if needed. Thanks in advance. get-network-info.txt route-info.txt remotectl_dumpstate.txt [ assetsd.diskwrites_resource-2025-06-25-221428.json linkText

Over the past few months, I’ve been experiencing persistent, abnormal behavior on my iPhone. Here's a short timeline: March 2025: Most apps log me out every time I close them. April 2025: Stored passwords suddenly begin failing across apps and websites. May–June 2025: Password recovery emails from Gmail accounts no longer arrive — suggesting that Gmail itself may be compromised or blocked/intercepted. Given the escalation, I ran several diagnostics and extracted system-level logs. Below is a structured summary of findings that point toward potential remote access, network traffic rerouting, and possibly hidden use of Bluetooth or debugging interfaces. ##1 Source: remotectl_dumpstate.txt Notable entries: com.apple.mobile.lockdown.remote.trusted and .untrusted com.apple.mobile.file_relay.shim.remote com.apple.webinspector.shim.remote com.apple.pcapd.shim.remote com.apple.bluetooth.BTPacketLogger.shim.remote com.apple.mobile.insecure_notification_proxy.remote This volume of .shim.remote and diagnostic services appears highly irregular for a non-debug, non-jailbroken device. 2. Skywalk Network Flows and Unusual Routing Source: skywalk.txt Dozens of flowswitch entries across interfaces like: ipsec0-7, pdp_ip0-2, en0-2, awdl0 Apps such as Gmail, ChatGPT, Preferences, and com.apple.WebKit are marked as defunct, yet persist in flow tables. Two specific daemons — replicatord and siriactionsd — appear on nearly every interface, in both QUIC and TCP6 traffic. skywalkctl flow-route shows multiple external IP paths, with flows routed through ipsec7, owned by kernel_task.0 — which could indicate system-level tunneling. 3. System Anomalies and Resource Behavior Inaccessible System Network Tools Source: get-network-info.txt All scutil calls fail (/usr/sbin/scutil does not exist). This blocks access to: DNS configuration (scutil --dns) Proxy and VPN status (scutil --proxy, --nc list) Reachability checks (scutil -r www.apple.com) Key Questions for the Developer Community Are >50 remote .shim.remote services typical on iOS 18.5 (release build)? Or does this suggest tampering, an MDM configuration, or debug provisioning? Could a misconfigured VPN or MDM profile enable persistent flow-switching across multiple interfaces (e.g., ipsec, pdp, awdl) and reroute app traffic such as Gmail? Is it possible for a test or developer certificate to silently side-load a background daemon, or trigger services like pcapd or file_relay, without showing in Profiles or Settings? Has anyone else seen the scutil binary missing or inaccessible on a stock iPhone? Could this be a sign of intentional lockdown or system modification? If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd like to compare the service count and see if this behavior is reproducible. I’d appreciate any insight from those familiar with Apple’s system daemons, skywalk internals, or network service behavior. Happy to share sanitized logs or run additional diagnostics if needed. Thanks in advance. get-network-info.txt remotectl_dumpstate.txt assetsd.diskwrites_resource-2025-06-25-221428.json

Over the past few months, I’ve been experiencing persistent, abnormal behavior on my iPhone. Here's a short timeline: March 2025: Most apps log me out every time I close them. April 2025: Stored passwords suddenly begin failing across apps and websites. May–June 2025: Password recovery emails from Gmail accounts no longer arrive — suggesting that Gmail itself may be compromised or blocked/intercepted. Given the escalation, I ran several diagnostics and extracted system-level logs. Below is a structured summary of findings that point toward potential remote access, network traffic rerouting, and possibly hidden use of Bluetooth or debugging interfaces. Device Information Model: iPhone17,1 (A17 chip) iOS Version: 18.5 (Build 22F76) Status: Stock, not jailbroken or running a developer build Region: Netherlands Carrier: KPN NL Language/Locale: Dutch (nl-NL) 1. Evidence of Remote Services and XPC Connectivity Source: remotectl_dumpstate.txt More than 50 remote lockdown and diagnostic services are listed as active. Notable entries: com.apple.mobile.lockdown.remote.trusted and .untrusted com.apple.mobile.file_relay.shim.remote com.apple.webinspector.shim.remote com.apple.pcapd.shim.remote com.apple.bluetooth.BTPacketLogger.shim.remote com.apple.mobile.insecure_notification_proxy.remote This volume of .shim.remote and diagnostic services appears highly irregular for a non-debug, non-jailbroken device. 2. Skywalk Network Flows and Unusual Routing Source: skywalk.txt Dozens of flowswitch entries across interfaces like: ipsec0-7, pdp_ip0-2, en0-2, awdl0 Apps such as Gmail, ChatGPT, Preferences, and com.apple.WebKit are marked as defunct, yet persist in flow tables. Two specific daemons — replicatord and siriactionsd — appear on nearly every interface, in both QUIC and TCP6 traffic. skywalkctl flow-route shows multiple external IP paths, with flows routed through ipsec7, owned by kernel_task.0 — indicate tunnelling? 3. System Anomalies and Resource Behavior Inaccessible System Network Tools Source: get-network-info.txt All scutil calls fail (/usr/sbin/scutil does not exist). This blocks access to: DNS configuration (scutil --dns) Proxy and VPN status (scutil --proxy, --nc list) Reachability checks (scutil -r www.apple.com) The absence of scutil is not expected right? Unusual Resource Usage Source: assetsd.diskwrites_resource-2025-06-25.json assetsd, working on behalf of cloudphotod, wrote over 1 GB of memory-backed files in under 1.5 hours. 4. Metadata Confirmation Source: Analytics-2025-06-27-020008.json Confirms: iPhone capacity: 256 GB DRAM: 7.5 GB Carrier: KPN NL Apps marked as highly active ("Games", "Creativity") in analytics also appear as defunct in skywalk, suggesting ghost background processes. Key Questions for the Developer Community Are >50 remote .shim.remote services typical on iOS 18.5 (release build)? Or does this suggest tampering, an MDM configuration, or debug provisioning? Could a misconfigured VPN or MDM profile enable persistent flow-switching across multiple interfaces (e.g., ipsec, pdp, awdl) and reroute app traffic such as Gmail? Is it possible for a test or developer certificate to silently side-load a background daemon, or trigger services like pcapd or file_relay, without showing in Profiles or Settings? Has anyone else seen the scutil binary missing or inaccessible on a stock iPhone? Could this be a sign of intentional lockdown or system modification? If anyone on iOS 18.5 / iPhone17,1 can share their remotectl_dumpstate output, I'd like to compare the service count and see if this behavior is reproducible. I’d appreciate any insight from those familiar with Apple’s system daemons, skywalk internals, or network service behavior. Happy to share sanitized logs or run additional diagnostics if needed. Thanks in advance. get-network-info.txt route-info.txt remotectl_dumpstate.txt [ assetsd.diskwrites_resource-2025-06-25-221428.json