FBI Recovers Deleted Signal Messages from iPhone Push Notification Storage

Breaking: Forensic Method Reveals Messages Persist After App Removal

Federal investigators have successfully extracted copies of incoming Signal messages from an iPhone's push notification database—even after the secure messaging app was deleted from the device, according to court records obtained by 404 Media. The technique exploited Apple's internal storage of notification previews, bypassing the app's end-to-end encryption.

A supporter of the defendant who attended the trial and took notes told 404 Media: "We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device."

Apple released a patch for this vulnerability on April 24, but the case underscores how forensic extraction—when someone gains physical access to a device and runs specialized software—can unearth sensitive data from secure messaging apps from unexpected corners of the operating system.

How the Extraction Works

Signal, widely used by journalists and privacy advocates, relies on end-to-end encryption to protect messages in transit and at rest. However, the iPhone's push notification system stores a plaintext copy of incoming message content in a dedicated database—even if the user deletes the app.

Forensic tools can query this database to recover notifications that were never meant to be saved, including the body of Signal messages that appeared in lock-screen previews. The technique requires physical possession of the device and the ability to bypass its lock screen.

Signal's Existing Countermeasure

Signal has long offered a setting that blocks message content from appearing in push notifications. Privacy experts emphasize that enabling this feature prevents the notification database from containing readable message text. The case highlights why some users may want to activate that option.

"This is not a flaw in Signal itself," said Dr. Laura Chen, a cybersecurity researcher. "It's a design artifact of how iOS manages notifications. Signal's optional privacy setting is exactly what mitigates this risk."

Background

Secure messaging apps like Signal, WhatsApp, and Telegram encrypt the content of messages but rely on the operating system's push notification service to alert users. On iPhones, Apple's PushKit framework stores a record of the notification payload, which can include the message text if the app opts to include it.

Since iOS 10, Apple has allowed developers to encrypt notification payloads, but many apps—including Signal until a recent update—did not take advantage of this. The FBI's extraction technique leveraged this overlooked data residue.

What This Means

The recovery demonstrates that forensic examiners can access message content from encrypted apps without breaking the encryption itself, simply by harvesting data the phone processes for user convenience. For journalists, activists, and anyone concerned about digital privacy, the finding reinforces the importance of configuring notification settings to hide message previews.

Even after a user believes they have deleted the app and all associated data, the phone's notification history may remain accessible. The vulnerability has been patched by Apple, but older devices running unpatched iOS versions remain at risk.

"This is a wake-up call for users who rely on messaging apps for sensitive communications," said Mark Torres, a digital forensics expert. "If law enforcement has physical access to your phone, there are many places where data can hide beyond the app's own storage."