FBI Recovers Deleted Signal Messages from iPhone Push Notification Database
FBI recovers deleted Signal messages from iPhone notification database, highlighting risk of forensic extraction even after app deletion.
Breaking: FBI Extracts Deleted Signal Messages via iPhone Notification Cache
Federal investigators have successfully retrieved copies of incoming Signal messages from a defendant's iPhone even after the app was deleted, according to a court report published Friday by 404 Media. The technique relies on forensic extraction of data stored in the device's push notification database—a repository that retains message previews even when the source app is removed.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media. The case underscores how physical access to a device, combined with specialized software, can unearth sensitive metadata from encrypted messaging platforms.
Signal offers a built-in setting that blocks message content from appearing in push notifications. The incident highlights why activating that feature may be critical for users who value end-to-end encryption privacy. Apple has since patched the vulnerability, but older devices remain at risk.
Background
Forensic extraction typically occurs when law enforcement gains physical control of a phone and runs software such as Cellebrite or GrayKey. This process can dig into databases that apps cannot erase, including the notification cache where iOS stores recent push alert text.
In this case, the defendant had deleted the Signal app entirely, but incoming message previews remained in the phone's notification database. Because Signal messages are end-to-end encrypted, the notification body—often the first few words of a message—was the only recoverable plaintext.
Security experts note that the same vulnerability could affect other messaging apps that display message previews in notifications, including WhatsApp and Telegram. However, Signal's optional “Show Preview” toggle is specifically designed to prevent this type of recovery.
What This Means
For users of encrypted messaging apps, this revelation reinforces that encryption alone does not guarantee privacy when the device itself can be accessed. Any app that writes decrypted message content into a notification is potentially creating a forensic record.
“This is a reminder that the security of your communications depends not only on the app’s encryption but also on how your phone handles notifications,” said a cybersecurity analyst speaking on condition of anonymity. “If you turn off message previews in Signal, you remove this particular attack vector.”
Law enforcement agencies are likely to expand use of notification-database forensic extraction in future investigations, particularly when suspects have deleted messaging apps. Defense attorneys may now challenge the admissibility of such evidence, arguing that users have a reasonable expectation of privacy in deleted messages.
Apple's patch addresses the immediate technical issue, but the broader lesson stands: nothing stored on a device is truly gone until its storage sectors are overwritten. For now, the safest practice is to disable notification previews entirely for any app handling sensitive conversations.