Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 13, 2026 · 5 min read

The FBI Read Deleted Signal Messages on an iPhone—Without Breaking Encryption

iOS keeps copies of incoming messages in a notification database that survives app deletion. Forensic tools extract them in minutes.

An iPhone lying on a table with a notification preview visible on the lock screen, symbolizing the persistence of message data in iOS notification storage

What Happened

In a Texas terrorism prosecution, the FBI extracted deleted Signal messages from a defendant's iPhone without breaking the app's end to end encryption. The messages had been erased, the disappearing messages feature was turned on, and the app itself had been uninstalled. None of that mattered.

During testimony in the Prairieland case, FBI Special Agent Clark Wiethorn described how forensic analysts recovered incoming Signal messages from Lynette Sharp's seized phone. The evidence was entered as Exhibit 158 and showed that message content had survived in a place Signal never controlled: Apple's internal notification storage.

How iOS Keeps Messages You Thought Were Gone

When a messaging app sends a push notification with a message preview, iOS stores that content in an internal database managed by its BulletinBoard framework. This cache is designed to power lock screen notifications, Notification Center, and Siri suggestions.

The problem is that iOS does not immediately discard this data. Notification records can persist for weeks, completely independent of the originating app. Deleting Signal, enabling disappearing messages, or wiping your chat history does nothing to this system level cache. The messages exist outside the app's control.

Forensic tools like Cellebrite can pull these records from a seized device. Because iOS stores the notification database in an After First Unlock (AFU) encryption state, the data is accessible as long as the phone has been unlocked at least once since it was last powered on. That is the case for nearly every phone seized by law enforcement.

What This Does and Does Not Mean

Signal's encryption was not broken. The FBI did not intercept messages in transit or compromise Signal's servers. What they exploited was a gap between what the app protects and what the operating system stores.

Only incoming messages were recovered. Outgoing messages do not pass through the push notification system the same way, so they were not present in the cache. Still, even one side of a conversation can reveal contacts, plans, and sensitive information.

This is also not a Signal specific vulnerability. Any messaging app that displays content in push notifications, including WhatsApp, Telegram, and iMessage, leaves the same forensic artifacts on iOS. Signal just happened to be the app under scrutiny in this case.

Why This Matters for Journalists and Activists

The Prairieland case involved terrorism charges, but the technique is not limited to terrorism investigations. Any law enforcement agency with access to Cellebrite or similar forensic tools can extract the same data from any seized iPhone. Journalists protecting sources, activists coordinating protests, and whistleblowers communicating with reporters all face the same exposure.

The assumption that encrypted messaging equals invisible messaging is wrong. Encryption protects data in transit. Once a message arrives on your device, its security depends on how the operating system handles it.

How to Protect Yourself

The fix is straightforward but requires manual action on two levels:

  • Inside Signal: Go to Settings > Notifications and set "Notification Content" to "No Name or Content." This prevents Signal from sending message text to iOS's notification system in the first place.
  • At the iOS level: Go to Settings > Notifications > Show Previews and select "Never." This applies globally to all apps and ensures no message content reaches the notification cache.
  • Consider BFU protection: If your threat model includes device seizure, power off your phone when not in use. A phone in Before First Unlock state keeps the notification database encrypted with a key that requires your passcode to derive.

These settings reduce convenience. You will no longer see who messaged you or what they said without opening the app. That is the tradeoff for keeping your conversations out of a forensic extraction report.

The Bigger Picture

Apple patched CVE-2026-28950 on April 22, implementing "improved data redaction" to stop deleted notifications from persisting on devices. The fix shipped as an emergency out of cycle update for iOS 26.4.2 and iOS 18.7.8.

This case follows a pattern of law enforcement accessing encrypted communications through side channels rather than brute force. In December 2025, researchers found that iOS shutdown logs could reveal spyware infections. Earlier, the FBI used Apple's Hide My Email feature to unmask an anonymous user's identity. Each case demonstrates that the weakest link in encrypted messaging is rarely the encryption itself. It is everything around it.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.