How the FBI Recovered Deleted Signal Messages from iPhone Notification Logs
Security researcher @RedHatPentester demonstrates that, despite uninstalling Signal, the FBI can extract plaintext messages from iPhone notification cache databases—a forensic flaw stemming from iOS’s write‑optimized storage that retains deleted notification previews, a risk that also affects Android devices.
1. FBI has used this technique before: App deleted, evidence remains
The FBI previously recovered Signal messages from a suspect’s iPhone even though the Signal app had been uninstalled for months. They did not exploit a zero‑day vulnerability nor break Signal’s end‑to‑end encryption; instead they performed forensic analysis of the device’s notification database.
Security researcher @RedHatPentester replicated the same method on his own device and succeeded in retrieving the message contents.
2. The issue is not encryption failure but a system‑level cache defect
When a message arrives via Apple Push Notification service (APNs), iOS creates a preview on the lock screen and in the notification center according to the user’s preview settings. These preview texts are temporarily stored in a system‑level database and notification log.
The problem lies in iOS’s write‑optimized storage: deleted data blocks are merely marked as free and are not immediately overwritten. During this window, forensic tools can recover the residual data.
Thus, even after uninstalling an app or deleting chat history, fragments of the messages may remain intact in the system database.
3. Forensic tools see “deletion” as only a superficial cover
In mobile forensics, any data that has not been physically damaged or fully overwritten can potentially be recovered. Here, even a “clean” uninstall leaves notification fragments that are fully visible to forensic software, which can automatically reassemble them into complete messages.
This provides investigators with valuable evidence but poses a serious privacy risk for users.
4. Android is not immune
Multiple users reported that Android also retains notification previews in a history log (Settings → Notifications → Advanced → Notification history). Therefore, the default notification preview on both iOS and Android acts as a “time bomb” for sensitive applications.
5. How to protect yourself – researcher’s recommendations
Disable or turn off notification preview for all sensitive apps.
Specific steps for iPhone:
Settings → Notifications → Select the target app → Turn off “Show Preview”.
Or go to Settings → Notifications and set preview display to “When Unlocked” or “Never”.
The researcher also urges Apple to limit the caching time of notification messages in the system to reduce user risk. Until such changes occur, the only reliable mitigation is to turn off notification previews.
6. Red‑team perspective
From an attacker’s viewpoint, mobile device forensics remains a blind spot for defenders. End‑to‑end encryption protects the transmission layer, but the operating system’s behavior cannot be configured away; you can only prevent the preview from showing plaintext.
For users who require strong privacy, relying solely on a “secure” app is insufficient—device security settings such as notification preview, lock‑screen preview, and Siri suggestions can all become data leakage vectors.
Red‑team members and penetration testers should understand these mechanisms to better assist clients in building defenses.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
