Apple has fixed a security flaw that law enforcement exploited to access deleted Signal messages from iPhones. The bug, disclosed in an Apple security advisory on Wednesday, allowed notifications marked for deletion to “unexpectedly remain on the device.”
How the FBI accessed private chats
The vulnerability was first highlighted by 404 Media on April 9, based on documents unsealed in Texas federal court. The documents relate to an FBI case about an attack on the Prairieland ICE Detention Facility last July. Court proceedings showed the FBI extracted a defendant’s Signal messages from the iPhone’s notification database, which held cached, readable previews of incoming Signal messages. This happened even after disappearing messages were enabled and the app was deleted.
Signal confirmed the fix on X, stating Apple’s advisory noted the bugs were resolved in the latest iOS release. Signal uses end-to-end encryption to secure messages between users. But this incident shows that encryption alone may not fully protect data when operating systems or devices store notification previews.
Calls for change from industry leaders
Signal President Meredith Whittaker urged Apple to fix the issue quickly. In an April 14 X post, she said notifications for deleted messages should not remain in any operating system’s notification database.
Pavel Durov, co-founder of Telegram, also weighed in. In an April 14 post on his platform, he argued the only way to stay safe is for an app to “force an absence of notification previews” on both ends of a conversation.
The fix, while welcome, serves as a reminder that privacy in messaging depends on more than just encryption. Device settings, notification behavior, and how operating systems handle cached data can all create gaps. Users who want extra protection might consider disabling message previews entirely in their notification settings.
For now, Apple’s patch closes a specific hole. But the broader conversation about how to keep private messages truly private is far from over.
