How the FBI Recovered Deleted Signal Messages from iPhone Notification Logs

Security researcher @RedHatPentester demonstrates that, despite uninstalling Signal, the FBI can extract plaintext messages from iPhone notification cache databases—a forensic flaw stemming from iOS’s write‑optimized storage that retains deleted notification previews, a risk that also affects Android devices.

Black & White Path
Black & White Path
Black & White Path
How the FBI Recovered Deleted Signal Messages from iPhone Notification Logs

1. FBI has used this technique before: App deleted, evidence remains

The FBI previously recovered Signal messages from a suspect’s iPhone even though the Signal app had been uninstalled for months. They did not exploit a zero‑day vulnerability nor break Signal’s end‑to‑end encryption; instead they performed forensic analysis of the device’s notification database.

Security researcher @RedHatPentester replicated the same method on his own device and succeeded in retrieving the message contents.

2. The issue is not encryption failure but a system‑level cache defect

When a message arrives via Apple Push Notification service (APNs), iOS creates a preview on the lock screen and in the notification center according to the user’s preview settings. These preview texts are temporarily stored in a system‑level database and notification log.

The problem lies in iOS’s write‑optimized storage: deleted data blocks are merely marked as free and are not immediately overwritten. During this window, forensic tools can recover the residual data.

Thus, even after uninstalling an app or deleting chat history, fragments of the messages may remain intact in the system database.

3. Forensic tools see “deletion” as only a superficial cover

In mobile forensics, any data that has not been physically damaged or fully overwritten can potentially be recovered. Here, even a “clean” uninstall leaves notification fragments that are fully visible to forensic software, which can automatically reassemble them into complete messages.

This provides investigators with valuable evidence but poses a serious privacy risk for users.

iOS notification cache forensic screenshot
iOS notification cache forensic screenshot

4. Android is not immune

Multiple users reported that Android also retains notification previews in a history log (Settings → Notifications → Advanced → Notification history). Therefore, the default notification preview on both iOS and Android acts as a “time bomb” for sensitive applications.

5. How to protect yourself – researcher’s recommendations

Disable or turn off notification preview for all sensitive apps.

Specific steps for iPhone:

Settings → Notifications → Select the target app → Turn off “Show Preview”.

Or go to Settings → Notifications and set preview display to “When Unlocked” or “Never”.

The researcher also urges Apple to limit the caching time of notification messages in the system to reduce user risk. Until such changes occur, the only reliable mitigation is to turn off notification previews.

6. Red‑team perspective

From an attacker’s viewpoint, mobile device forensics remains a blind spot for defenders. End‑to‑end encryption protects the transmission layer, but the operating system’s behavior cannot be configured away; you can only prevent the preview from showing plaintext.

For users who require strong privacy, relying solely on a “secure” app is insufficient—device security settings such as notification preview, lock‑screen preview, and Siri suggestions can all become data leakage vectors.

Red‑team members and penetration testers should understand these mechanisms to better assist clients in building defenses.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

iOSAndroidsecuritydata deletionSignalforensicsnotification cache
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.