Breaking News
The FBI has successfully extracted copies of incoming Signal messages from an iPhone—even after the app was deleted—by accessing the device's push notification database, according to a report from 404 Media. The discovery underscores how forensic software can retrieve sensitive data from secure messaging apps through unintended storage pathways.
The messages were recovered from a defendant's iPhone during a trial. The extraction was possible because copies of the message content were automatically saved in the iPhone's internal push notification database, even though the Signal app itself had been removed from the device.
Apple has since patched the underlying vulnerability, which allowed notification previews to persist in device memory. The fix was issued on April 24, according to 404 Media's follow-up.
Background
Forensic extraction involves physically accessing a device and running specialized software to recover data. This case demonstrates how even data from encrypted apps like Signal can be exposed if notification settings are not properly configured.
Signal already includes a setting that blocks message content from appearing in push notifications. The case highlights why turning on that feature may be critical for users who want to prevent forensic recovery of their communications.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.
This revelation came from a trial where the FBI's forensic capabilities were demonstrated in court. The supporter's notes provided the first public documentation of the technique.
What This Means
For users of encrypted messaging apps like Signal, this case serves as a stark reminder that secure communication does not automatically protect against forensic recovery if notification previews are enabled. Anyone with physical access to an iPhone—law enforcement, employers, or malicious actors—could potentially extract message contents.
The vulnerability is particularly concerning for journalists, activists, and others who rely on Signal for sensitive conversations. While the app's end-to-end encryption protects messages in transit, the notification database creates a weak point on the device itself.
Apple's patch closes the loophole, but only for devices that receive the update. Users are urged to update their iPhones and, as a best practice, disable message previews in notification settings for all secure messaging apps. Signal's own setting to hide message content in notifications should also be activated.
This case may also influence future legal battles over what data can be compelled from devices. It shows that even deleted app data can be recovered, raising questions about the limits of digital privacy and the scope of forensic searches.