FBI Recovers Deleted Signal Messages from iPhone Notification Cache
Breaking News — The FBI has successfully extracted copies of incoming Signal messages from a defendant's iPhone, even after the encrypted messaging app was deleted from the device. The recovery was possible because the message content had been stored locally in the iPhone's push notification database.
This development, first reported by 404 Media, underscores how forensic extraction techniques can retrieve sensitive data from secure apps through unexpected storage locations. The technique requires physical access to the device and specialized software to run a forensic analysis.
"We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device," a supporter of the defendants who was taking notes during the trial told 404 Media.
Apple has since released a patch that addresses this vulnerability. The update prevents the notification system from retaining message previews after an app is deleted, though existing data may remain on devices that have not been updated.
Background
Signal is widely regarded as one of the most secure messaging apps available, offering end-to-end encryption by default. However, the app includes a setting that controls whether message content appears in push notifications. If a user enables message previews — particularly on an iPhone — the device's operating system stores a copy of that content in the notification database.
When a user deletes the Signal app, the notification database is not automatically cleared. Forensic tools can then extract these cached notifications, revealing the contents of incoming messages even after the app is gone. The vulnerability was not limited to Signal; any messaging app that uses iOS notifications with previews could be affected.
What This Means
This case highlights a critical privacy consideration for users of encrypted messaging apps. Even if the app itself is secure and deleted, message previews stored by the operating system can be recovered by law enforcement or other actors with physical access to the device.
Security experts recommend that users disable message previews in their notification settings for any sensitive communication. Signal provides a specific setting to block message content from displaying in notifications — enabling this feature prevents the notification database from storing readable text.
- For individuals: Turn off notification previews in Signal and other messaging apps to reduce forensic exposure.
- For organizations: Implement mobile device management policies that disable notification previews on work-issued devices.
The FBI's success in this case demonstrates that physical access to a device remains a powerful vector for data recovery, even from apps designed with strong security. While Apple's patch closes the immediate loophole, users should remain vigilant about what data their device stores locally.
As digital forensics continues to evolve, this incident serves as a reminder that no app is completely invisible once it has interacted with a device's core operating system functions.