How the FBI Recovered Deleted Signal Messages from an iPhone's Notification Cache

The Discovery: Deleted Messages Still Accessible

In a case that has sent ripples through the privacy-conscious community, the FBI managed to retrieve copies of incoming Signal messages from a defendant’s iPhone—even after the messaging app itself had been deleted. According to a report by 404 Media, the key to this recovery lay not in the app’s own data but in an unexpected repository: the device’s push notification database.

During the trial, a supporter of the defendants who was taking notes noted that, “specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device.” This internal storage persisted even after Signal was removed, giving forensic analysts a window into communications that were thought to be erased.

Forensic Extraction Techniques

The method used by the FBI is known as forensic extraction, a process that requires physical access to a device and the ability to run specialized software on it. Once connected, the software can dig deep into the file system, pulling fragments of data that ordinary deletion processes do not fully scrub.

While many users assume that deleting an app wipes all its associated data, the reality is more complex. Operating systems like iOS often retain cached or logged information in system databases. In this case, the notification cache remained populated with message previews, even after Signal was no longer installed.

The Role of Push Notifications

Push notifications are designed to give users a quick glimpse of incoming messages without opening an app. When Signal is configured to show message previews—either on the lock screen or in the notification center—iOS automatically writes a copy of that preview into a dedicated notification database. This database is part of the core operating system and is not deleted when the app is removed.

The vulnerability is not intrinsic to Signal itself but is a consequence of how iOS handles notification data. Any messaging app that enables message previews in notifications could theoretically leave similar traces.

Signal's Privacy Setting

Signal already offers a setting that blocks message content from appearing in push notifications. By default, this feature is turned off. The case highlights why enabling it might be crucial for users who want to minimize their digital footprint. When enabled, notifications from Signal will display only the sender’s name (or “Signal message”) without the actual text, preventing the system from caching sensitive content.

To activate this protection: go to Signal Settings > Notifications > Show, and select No Name or Content or Name Only.

The Vulnerability and Apple's Patch

After the case came to light, Apple acted quickly. According to an update published on April 24, Apple patched the vulnerability that allowed forensic extraction of deleted notification data. The patch addresses the underlying storage mechanism in iOS, ensuring that notification previews are more thoroughly cleaned when an app is deleted or when notifications are cleared.

However, experts note that while this patch closes a specific technical loophole, it does not eliminate the broader risk. Notification databases can still be accessed by forensic tools if the device is unlocked and in a freshly powered-on state.

Implications for Users and Secure Messaging

This incident underscores a fundamental principle in digital security: deleted is not always erased. For journalists, activists, or anyone handling sensitive information, the discovery serves as a stark reminder that even encrypted apps like Signal may leave traces in unexpected system components.

To reduce risk, users should consider:

• Disable message previews in notification settings for all messaging apps.
• Use end-to-end encrypted apps that offer disappearing messages and notification cloaking.
• Regularly review app permissions and clear notification history manually.
• If using Signal, turn on the setting to hide message content in notifications (as described above).

The FBI's ability to recover deleted Signal data is not a failure of Signal’s encryption but a feature of iOS’s notification system. As the digital forensic arms race continues, both platform developers and users must remain vigilant about where data can linger.

While Apple’s patch mitigates the specific vulnerability exploited in this case, the broader lesson endures: privacy requires proactive configuration, not just passive trust in the app or operating system.