itgrrl 
itgrrl@infosec.exchange
y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? 🤔
FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database
“The #FBI was able to forensically extract copies of incoming Signal messages from a defendant’s #iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database”
a detailed write-up that’s not paywalled 👇
When deleting Signal is not enough: the FBI, iPhone notifications, and what #forensics can reveal
”A few days ago, 404 Media published a detailed report that made a lot of people uncomfortable: the FBI managed to recover Signal messages from a suspect’s iPhone, even though the app had already been uninstalled. No #encryption was broken. No Signal server was compromised. The messages were sitting in the phone’s own notification database, waiting to be found.”
https://andreafortuna.org/2026/04/11/signal-fbi-iphone-notifications-forensics/
2
2
0
Insubordinant
scottymace@infosec.exchange@itgrrl I see no mention of the implications for Android devices. Does the same issue exist?
1
1
0
@scottymace I don’t know the details of push notification storage on Android, but limiting the content of push notifications for any privacy-focused apps is a sensible precaution regardless of the app or the platform you use it on (some people run Signal on desktop OSes too)
0
1
0
Insubordinant
scottymace@infosec.exchange@itgrrl Yes, it does have android implications.
1. Open Signal.
2. Tap your profile icon.
3. Tap Notifications.
4. Under Show, select “No name or message”.
If using Molly, users can additionally enable database encryption at rest, which encrypts Signal’s local database with a separate passphrase — adding protection against on-device forensic extraction of the app’s own data.
1
1
0
@scottymace Signal’s database #encryption wasn’t the problem in this instance, it was the amount of detail in the content of push notifications (and it’s persistence) in the iOS APN database
choosing to use a #Signal fork like #Molly instead of the official client brings its own set of risks and trade-offs to be weighed in the context of your specific threat model
2
1
0
David Chisnall (*Now with 50% more sarcasm!*)
david_chisnall@infosec.exchangeNearly:
it was the amount of detail in the content of push notifications
It wasn’t the information in the push notification. This goes via Apple’s server and is a one-bit signal that says ‘there may be some messages waiting for you, you should go and check’ (may be, because Signal sends some spurious push notifications to make traffic correlations harder).
The Signal app then gets the message and asks the local OS notification mechanism to display the notification. If the permissions are set up to display Signal notifications on the lock screen, these are also persisted in a database on iOS (I have no idea why. Is there some way of searching them?). If you’re worried about people with physical access to your device reading your messages, I would suggest that turning off the thing that shows them on the lock screen is probably a good idea.
2
1
0
1
0
0
@buherator @david_chisnall @scottymace AFAIK on iOS there’s no on-device way to search or view the contents any of the internal system databases without jailbreaking (which has become increasingly difficult to do), but there are digital forensics tools (both commercial & open source) that can enumerate them – this is the sort of tool that the FBI used
1
1
0
@david_chisnall @scottymace I’ve updated my toot to use a more precise descriptor
0
1
0
David Chisnall (*Now with 50% more sarcasm!*)
david_chisnall@infosec.exchange@itgrrl @buherator @scottymace
Do you have any idea why they bother persisting more than the notifications currently on the screen? It's weird to collect data that you have no use for. Does it train on-device text-prediction models or something?
1
1
0
0
0
0