Apple has patched a security flaw that previously allowed the Federal Bureau of Investigation to access a Signal user’s deleted messages via the device’s push notification database—even after the app had been removed and messages were set to disappear.
In a security advisory released Wednesday, Apple said it resolved an issue where “notifications marked for deletion” could be “unexpectedly retained on the device.”
In a post on X, Signal confirmed the fix, noting that the bug had made certain messages accessible to law enforcement.
“Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release,” Signal said.
While Signal uses end-to-end encryption to protect user communications, the incident highlights that encryption alone may not fully safeguard data when vulnerabilities exist at the device or operating system level.
The Federal Bureau of Investigation was able to access private messages through a previously undisclosed loophole, first reported by 404 Media. On April 9, the outlet revealed that newly unsealed documents from a federal court in Texas detailed an FBI investigation tied to an attack on the Prairieland ICE Detention Facility last July.
According to the filings, investigators were able to forensically recover a defendant’s Signal messages from an iPhone’s notification database. The database had stored cached, readable previews of incoming messages—even after disappearing messages were enabled and the app itself had been deleted.
Following the report, Signal President Meredith Whittaker urged Apple to address the issue swiftly. In an April 14 post on X, she said that “notifications for deleted messages shouldn’t remain in any OS notification database.”
Pavel Durov, co-founder of the rival messaging platform Telegram, also weighed in. In an April 14 post on Telegram, he argued that the only reliable way to ensure privacy is for apps to eliminate notification previews entirely on both ends of a conversation.
