FBI Uncovered Deleted Signal Messages on iPhone by Targeting Push Notification Database
FBI forensically recovered deleted Signal messages from iPhone push notification database. Security experts urge enabling notification preview blocking to prevent similar extraction.
Breaking: Deleted Signal Messages Recovered via iPhone Notifications
The FBI successfully extracted copies of incoming Signal messages from an iPhone belonging to a defendant—even after the app was deleted—by forensically mining the device's push notification database. The breakthrough came to light through court documents and testimony reported by 404 Media.
Government examiners used forensic software with physical access to the iPhone to retrieve message previews that had been stored by iOS in its internal notification logs. These logs persisted despite the removal of the Signal application itself.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.
The technique underscores a critical blind spot in encrypted messaging: even when an app is deleted, fragments of sensitive content can remain accessible on the operating system level. Apple has since released a patch addressing this vulnerability, though older devices may remain at risk.
Background
Forensic extraction—where investigators physically connect to a device and run specialized software—has long been used to recover data from smartphones. However, the practice targeting push notification databases is a relatively new frontier.
Signal, known for its end-to-end encryption, already offers a setting that blocks message content from appearing in push notifications. The FBI's success highlights why enabling that feature is more than a privacy nicety—it can prevent forensic recovery of message text.
According to 404 Media's original report, the extraction occurred during a criminal trial, with details emerging from notes taken by a supporter present in court. Apple's patch, applied on April 24, closed the specific avenue used by investigators, but similar vulnerabilities may exist in other messaging apps.
What This Means
The case serves as a stark reminder that encryption alone does not guarantee message disappearance. Any notification preview left visible on a lock screen—or even stored internally—creates a recoverable trail.
For users who rely on Signal for sensitive communications, turning off message previews in notification settings is now a recommended baseline security measure. Journalists, activists, and whistleblowers should update their devices immediately.
Law enforcement agencies may also adapt this technique to other encrypted platforms that cache notification data on iOS or Android. The Find My and other stock apps could similarly leak metadata through notification logs.
Ultimately, the vulnerability lies not in Signal's encryption but in the operating system's handling of system notifications. Users must understand that forensic tools can exploit such residues, and that secure habits must extend beyond app-level deletions.