iPhone Notification Bug Exposed Signal Messages to FBI Even After App Deletion

2026-04-29 data

Amsterdam, Wednesday, 29 April 2026.
A critical iOS vulnerability allowed law enforcement to extract deleted Signal message previews from iPhone notification databases, even after users removed the encrypted messaging app. Apple rushed out emergency updates iOS 26.4.2 and 18.7.8 on April 22nd to fix the flaw that retained notifications marked for deletion. The FBI exploited this weakness to recover private communications during criminal investigations, bypassing Signal’s encryption by accessing iOS system files rather than breaking the app’s security directly.

How the FBI Circumvented Signal’s Encryption

The FBI’s success in recovering Signal messages did not involve breaking Signal’s encryption or accessing Signal’s servers directly [1]. Instead, investigators exploited a vulnerability in iOS’s notification database system that stored incoming message previews separately from the encrypted Signal app data [1][2]. According to court testimony, the FBI had physical access to an iPhone and used specialized forensic software to extract these notification previews [1]. The recovered data consisted only of incoming messages, as the notification system does not store outgoing communications [1]. This technique was particularly effective because the target device was likely in an After First Unlock (AFU) state rather than the more secure Before First Unlock (BFU) state, making the notification data accessible to advanced forensic tools [1].

Technical Details of the iOS Vulnerability

Apple identified the flaw as CVE-2026-28950, describing it as a problem where “notifications marked for deletion would unexpectedly be retained on the device” [3]. The vulnerability affected iOS notification services across multiple versions, allowing deleted notifications to persist in the device’s internal storage even after users cleared notifications or completely removed apps [2][8]. Cybersecurity specialist Andrea Fortuna published a detailed analysis on April 11th, 2026, explaining the notification database extraction methods that made this forensic technique possible [1]. The retained notification data could include message content that appeared on lock screens, creating a persistent record that users believed had been deleted [2].

Apple’s Emergency Response and Signal’s Reaction

Apple released emergency updates on April 22nd, 2026, issuing iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to address the security flaw [3][8]. The company fixed the issue through “improved data redaction,” including the removal of existing cached copies of notifications that should have been deleted [3]. Signal’s team thanked Apple for the rapid response, stating that the fix demonstrated Apple’s understanding of “the sensitivity of this issue as part of an ecosystem to safeguard the fundamental human right to private communication” [3]. Signal President Meredith Whittaker emphasized that Signal’s push notifications “NEVER contain sensitive unencrypted data & do not reveal the contents of any Signal messages or calls” [2], clarifying that the vulnerability was in iOS’s handling of notifications rather than Signal’s encryption.

Protecting Privacy Through Enhanced Notification Controls

Users can implement several protective measures to prevent similar exposure of sensitive communications. In Signal, notification privacy can be enhanced by navigating to profile settings, then Notifications, and selecting “Show” options that limit displayed content to “Name only” or “No Name or Content” [2][3]. At the iOS system level, users can control notification previews by going to Settings > Notifications > Show Previews and selecting “Never” or “When Unlocked” instead of “Always” [2]. The broader implications extend beyond individual apps, as the Electronic Frontier Foundation has raised concerns about whether notification logs might be backed up to cloud services, potentially making them accessible to law enforcement through different legal channels [2]. Android devices have implemented automatic rebooting after three days of inactivity to reach the more secure BFU state [1], highlighting the ongoing evolution of mobile security practices in response to forensic capabilities.

Bronnen

notification privacy Signal encryption