y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? 🤔

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

“The #FBI was able to forensically extract copies of incoming Signal messages from a defendant’s #iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database”

💰 https://www.404media.co/fbi-extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-database-2/

a detailed write-up that’s not paywalled 👇

When deleting Signal is not enough: the FBI, iPhone notifications, and what #forensics can reveal

”A few days ago, 404 Media published a detailed report that made a lot of people uncomfortable: the FBI managed to recover Signal messages from a suspect’s iPhone, even though the app had already been uninstalled. No #encryption was broken. No Signal server was compromised. The messages were sitting in the phone’s own notification database, waiting to be found.”

https://andreafortuna.org/2026/04/11/signal-fbi-iphone-notifications-forensics/

#DFIR
#iOS  

@itgrrl I see no mention of the implications for Android devices. Does the same issue exist?

@scottymace I don’t know the details of push notification storage on Android, but limiting the content of push notifications for any privacy-focused apps is a sensible precaution regardless of the app or the platform you use it on (some people run Signal on desktop OSes too)

@itgrrl Yes, it does have android implications.
1. Open Signal.
2. Tap your profile icon.
3. Tap Notifications.
4. Under Show, select “No name or message”.
If using Molly, users can additionally enable database encryption at rest, which encrypts Signal’s local database with a separate passphrase — adding protection against on-device forensic extraction of the app’s own data.

@scottymace Signal’s database #encryption wasn’t the problem in this instance, it was the amount of detail in the content of push notifications (and it’s persistence) in the iOS APN database

choosing to use a #Signal fork like #Molly instead of the official client brings its own set of risks and trade-offs to be weighed in the context of your specific threat model

@itgrrl Totally agree.

@itgrrl @scottymace

Nearly:

it was the amount of detail in the content of push notifications

It wasn’t the information in the push notification. This goes via Apple’s server and is a one-bit signal that says ‘there may be some messages waiting for you, you should go and check’ (may be, because Signal sends some spurious push notifications to make traffic correlations harder).

The Signal app then gets the message and asks the local OS notification mechanism to display the notification. If the permissions are set up to display Signal notifications on the lock screen, these are also persisted in a database on iOS (I have no idea why. Is there some way of searching them?). If you’re worried about people with physical access to your device reading your messages, I would suggest that turning off the thing that shows them on the lock screen is probably a good idea.

@david_chisnall @itgrrl @scottymace "Is there some way of searching them?" I can only speak of Android: here definitely is a system-level option keep a browsable notification history.

@buherator @david_chisnall @scottymace AFAIK on iOS there’s no on-device way to search or view the contents any of the internal system databases without jailbreaking (which has become increasingly difficult to do), but there are digital forensics tools (both commercial & open source) that can enumerate them – this is the sort of tool that the FBI used

@david_chisnall @scottymace I’ve updated my toot to use a more precise descriptor

@itgrrl @buherator @scottymace

Do you have any idea why they bother persisting more than the notifications currently on the screen? It's weird to collect data that you have no use for. Does it train on-device text-prediction models or something?

@david_chisnall @itgrrl @scottymace User story: I explicitly looked for and manually enabled the history on Android bc there were notifs that contained important info but I sometimes removed them from the screen by accident and I couldn't find them in the corresponding app (can't tell the exact app/feature).

@david_chisnall @buherator @scottymace I doubt they’re using that data for training, but other than that ¯_(ツ)_/¯

I tend to assume incompetence before malice, could just be sloppy garbage collection