FBI Extracts Deleted Signal Messages from iPhone Notification Database
The FBI forensically recovered deleted Signal messages from an iPhone by accessing the device's push notification database, which retained message previews even after the app was removed.
The FBI has demonstrated a novel forensic technique that allows law enforcement to recover deleted Signal messages from iPhones by extracting data from the device's push notification database. According to a report from 404 Media, the technique was used in a criminal case where investigators were able to retrieve copies of incoming Signal messages from a defendant's iPhone, even after the Signal application had been deleted from the device. The discovery highlights a significant privacy risk for users of encrypted messaging apps on iOS devices.
The vulnerability stems from how iOS handles push notifications. When an app like Signal receives a message, the operating system stores a preview of that notification in a dedicated database, regardless of whether the user has enabled message previews on the lock screen. A supporter of the defendants who was taking notes during the trial told 404 Media: "We learned that specifically on iPhones, if one's settings in the Signal app allow for message notifications and previews to show up on the lock screen, then the iPhone will internally store those notifications/message previews in the internal memory of the device." This means that even if a user deletes the Signal app entirely, the notification database remains intact and can be accessed through forensic extraction tools.
Signal already offers a setting that blocks message content from appearing in push notifications. However, the case reveals that even when this setting is enabled, the iPhone internally retains those previews in its notification database. This creates a fundamental tension between user expectations of privacy and the operating system's design for notification management. The forensic extraction technique requires physical access to the device and specialized software, but it demonstrates that encrypted messaging apps are not immune to data recovery when the underlying operating system stores copies of message content.
Apple has addressed this vulnerability as of April 24, 2026, with a patch that prevents the notification database from retaining message previews after an app is deleted. The company has not publicly detailed the technical specifics of the fix, but it is expected to be included in the next iOS security update. The patch does not affect the ability of law enforcement to access the notification database while the app is still installed, but it closes the gap that allowed recovery of messages after app deletion.
The case has significant implications for privacy advocates and users of encrypted messaging apps. While Signal's end-to-end encryption ensures that messages cannot be intercepted in transit, the notification database on iOS devices creates a secondary storage location that can be exploited through forensic extraction. This is not a vulnerability in Signal itself, but rather a design characteristic of iOS that affects all apps that use push notifications. The incident underscores the importance of understanding the full data lifecycle on mobile devices, including how operating systems handle notification data.
For users concerned about this risk, the most effective mitigation is to disable message previews in Signal's notification settings and to regularly clear the notification history on their device. However, even with these precautions, the notification database may still retain some metadata. The broader lesson is that forensic extraction techniques continue to evolve, and users should assume that any data that appears on their device, even temporarily, may be recoverable by determined investigators with physical access to the device.