Apple has patched a security vulnerability that allowed law enforcement, including the FBI, to forensically extract Signal messages from iPhones even after the encrypted messaging app had been deleted — a fix prompted by investigative reporting that revealed the flaw had been exploited in at least one federal criminal case.
Apple released a security patch on April 22 addressing a flaw in iOS that caused iPhones to retain copies of incoming notification content — including Signal message previews — in an internal database, even after the associated app had been removed by the user.
The vulnerability came to light following reporting by 404 Media, which documented how FBI Special Agent Clark Wiethorn testified in a federal trial that agents had successfully recovered Signal messages from the iPhone of defendant Elizabeth Soto, despite the app having been deleted from her device.
According to notes taken by defence attorney Harmony Schuerman and shared with 404 Media, the FBI was able to access the messages because of how iOS handled lock-screen notifications. "They were able to capture these chats because of the way she had notifications set up on her phone — anytime a notification pops up on the lock screen, Apple stores it in the internal memory of the device," Schuerman wrote.
The case arose from an incident at the ICE Prairieland Detention Facility in Alvarado, Texas, in which individuals were accused of vandalism, setting off fireworks, and shooting a police officer. It was among the first prosecutions under President Trump's designation of "Antifa" as a domestic terrorist organisation.
In its security advisory, Apple described the underlying problem as "a logging issue" that was "addressed with improved data redaction." In follow-up correspondence with 404 Media, Apple said it had identified a bug causing iPhones to unexpectedly save notifications marked for deletion, and confirmed that the patch retroactively purges any previously stored notifications of this type. Apple stated it is company policy to remove associated notifications when an app is uninstalled.
Signal welcomed the fix. "We are very happy that today Apple issued a patch and a security advisory. This comes following 404 Media reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted," Signal posted on the social platform Bluesky.
According to court records cited by 404 Media, this was not an isolated incident — the FBI had leveraged the same notification database mechanism multiple times across separate investigations to recover Signal message content.
The fix highlights a broader tension between end-to-end encrypted communications tools and the ability of law enforcement to access message content through operating system-level data retention — even when users believe they have taken steps to protect their communications. Signal itself encrypts messages in transit and at rest within the app, but notification previews displayed by iOS were being stored separately, outside the app's own security perimeter.
Users who had enabled lock-screen message previews in Signal — a default setting for many — were potentially exposed to this vulnerability without their knowledge. Apple's patch is included in the latest iOS update and applies retroactively to clear previously stored notification data.
Analysis
Why This Matters
- The vulnerability undermined a core promise of encrypted messaging: that deleting an app or its messages removes them from a device. Users who believed Signal's encryption protected them may not have realised iOS itself was retaining plaintext message previews.
- Law enforcement had used this method across multiple cases, suggesting it was an established — if little-known — forensic technique before public disclosure forced Apple's hand.
- The fix sets a precedent for how media scrutiny can accelerate security patches that might otherwise remain unaddressed, particularly where surveillance interests are involved.
Background
Signal is widely regarded as the gold standard in encrypted messaging, used by journalists, activists, lawyers, and privacy-conscious individuals worldwide. Its encryption protocol ensures that messages cannot be intercepted in transit, and the app offers features such as disappearing messages designed to limit data retention.
However, operating systems like iOS manage notifications independently of individual apps. When Signal (or any app) sends a notification that appears on a lock screen, iOS historically stored a copy of that notification content in a system-level database — a convenience feature for notification history. This database was accessible to forensic tools used by law enforcement, creating a gap between what users expected and what was actually happening on their devices.
Apple had not publicly disclosed this behaviour, and the issue only surfaced through testimony in a federal criminal case. Prior to 404 Media's reporting in April 2026, the forensic technique appeared to be known within law enforcement and digital forensics circles but not widely understood by the public or even privacy advocates.
Key Perspectives
Apple: Characterised the issue as a bug — specifically a logging error — rather than an intentional design choice, and moved swiftly to patch it once it attracted public attention. The company says its policy has always been to delete associated notification data when an app is removed.
Signal: Welcomed the fix and credited the media coverage for prompting action. Signal's own encryption was not compromised; the vulnerability resided entirely within iOS's notification handling. The company has consistently advocated for device-level security to match its application-level protections.
Critics and privacy advocates: While the patch is a positive step, the episode raises questions about how many similar OS-level data retention behaviours remain undisclosed. The fact that law enforcement had repeatedly exploited this gap — and that it took a court case and press coverage rather than Apple's own audits to surface it — is a concern for those who rely on encrypted tools for sensitive communications.
What to Watch
- Whether other messaging apps — including WhatsApp, Telegram, and iMessage in specific configurations — are subject to similar notification-database retention issues on iOS or Android.
- Legal challenges or motions in existing cases where evidence was obtained using this technique, which may now face fresh scrutiny.
- Apple's broader review of what other system-level data may be retained independently of app-level deletion, potentially prompted by increased regulatory and public attention following this episode.