Apple has fixed a security flaw exploited by law enforcement to access deleted Signal messages from iPhones. The bug, disclosed in an Apple security advisory Wednesday, allowed notifications marked for deletion to “unexpectedly remain on the device.”
How the FBI Accessed Private Chats
The vulnerability was first highlighted by 404 Media on April 9, based on documents disclosed in Texas federal court. The documents relate to an FBI case involving an attack on the Prairieland ICE detention center last July. Court proceedings showed that the FBI pulled a defendant’s Signal messages from the iPhone’s notification database, which cached readable previews of incoming Signal messages. This happened even after enabling Disappearing Messages and deleting the app.
Signal confirmed the fix on Signal uses end-to-end encryption to secure messages between users. But this incident shows that encryption alone does not fully protect data when operating systems or devices store notification previews.
Calls for change from industry leaders
Signal President Meredith Whittaker urged Apple to resolve the issue quickly. In an April 14 X article, she said that notifications of deleted messages should not remain in any operating system’s notification database.
Pavel Durov, co-founder of Telegram, also spoke. In an April 14 post on his platform, he claimed the only way to stay safe was for an app to “force no notification previews” on both ends of a conversation.
The fix, while welcome, is a reminder that email privacy doesn’t just depend on encryption. Device settings, notification behavior, and how operating systems handle cached data can all create gaps. Users who want additional protection can consider disabling message previews entirely in their notification settings.
For now, Apple’s patch fills a specific hole. But the broader debate over how to keep private messages private is far from over.
