CybersecurityHacking

FBI Extracts Signal Messages from iPhone Push Notification Records

Analyst 207||Source: Schneier
iPhone lock screen with a notification showing a blurred message preview.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

The forensic finding: Signal messages recovered from an iPhone notification database

According to reporting by 404 Media, the FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone even after the Signal app was deleted. The extraction succeeded because copies of the message content had been saved in the device’s push notification database, which remained on the phone after the app was removed.

How notification previews end up in iPhone internal memory

The court-notes quote above explains the apparent mechanism: when the Signal app settings permit message notifications and previews to appear on the lock screen, the iPhone “internally store[s] those notifications/message previews” in device memory. The reporting does not name the defendant or provide technical dump data; it records that the notification previews themselves were preserved in an iPhone-managed database that forensic tools could read.

Forensic extraction requires physical access and specialized tools

The reporting reiterates a core point about digital forensics: extraction in this case occurred after someone with physical access to the device used specialized software to read the device’s stored notification data. The story frames this as a general lesson — that forensic extraction, when an examiner has physical custody of a phone and the right tools, can reveal sensitive content from secure messaging apps in unexpected OS-managed locations.

Signal’s notification-preview setting and why it matters

Signal “already has a setting that blocks message content from displaying in push notifications,” the report notes. The case is cited as an example of why that setting might be important for some users to enable. The reporting stops short of asserting whether enabling the setting would have prevented the stored previews in this specific phone, but it frames the setting as a deliberate design choice intended to limit message content exposure via notifications.

What this means for end users, technologists, and prosecutors

  • End users: The report suggests users who are concerned about leaving message content on a device might consider notification-preview settings; the story highlights that notification behavior can move message content from an app into OS-managed storage visible to forensic extraction.
  • Technologists and security teams: The episode points to a need to look beyond app-level storage when evaluating privacy guarantees: OS-level notification databases can retain content and should be included in threat models and forensic readiness planning.
  • Prosecutors and examiners: The case documents a concrete source of evidentiary text for investigators with lawful physical access and tools — namely, the iPhone push notification database —even when the messaging app itself has been removed.

The narrow factual record reported by 404 Media and summarized here is straightforward: in at least one prosecutorial matter, incoming Signal messages were recoverable from an iPhone’s push notification database after the app was deleted, and observers at the trial recorded that lock-screen notification previews can be stored in internal device memory. That combination — push notifications enabled, stored previews, and an examiner with physical access and specialized software — produced recoverable content that otherwise might have been assumed unavailable once the app was uninstalled.

Link to original reporting: https://www.schneier.com/blog/archives/2026/04/fbi-extracts-deleted-signal-messages-from-iphone-notification-database.html

Emerging ThreatsForensic AnalysisIphoneLaw EnforcementMobile SecuritySignalApp SecurityPush NotificationsData Extraction
Related Intelligence

Continue Reading

Blurred Teams meeting on laptop screen in office setting with abstract overlays.

Microsoft Bolsters Teams Security with Enhanced Bot Protections

Microsoft is stepping up its Teams security game with enhanced bot protections, allowing admins to block third-party bots from joining meetings without approval. This new policy gives organizations greater control over who can access their meetings, helping to prevent malicious apps and unwanted disruptions.

Analyst 207
Devices with blank screens sit on a table in a public area, surrounded by people in the background.

AirDrop and Quick Share Flaws Expose Devices to Local Attacks

Millions of devices are vulnerable to local attacks due to flaws in popular sharing services like AirDrop and Samsung Quick Share, discovered by researchers Arash Ale Ebrahim and Nils Ole Tippenhauer. They found six distinct flaws that can be exploited by nearby attackers to crash services or bypass security checks.

Analyst 207
Cybersecurity workstation with Linux computer, equipment, and reference materials on a neutral background.

Kali Linux Release Bolsters Cybersecurity Arsenal with 9 New Tools

Kali Linux just got a major boost with its latest release, packing 9 new tools to supercharge your cybersecurity arsenal. This update slashes boot time by nearly 3x and trims down the initrd to just 60 MB for VM users.

Analyst 207
Network operations room with load balancer appliance surrounded by standard networking equipment.

Progress LoadMaster Flaw Lets Attackers Run Root Commands Pre-Auth

A critical flaw in Progress Kemp LoadMaster, known as CVE-2026-8037, allows attackers to run root commands without authentication - but a patch is now available to fix this gaping security hole. This vulnerability, scoring a severe 9.8, can be exploited with a simple crafted API request.

Analyst 207