Notification bug that let FBI access messages patched with iOS 26.4.2

People being investigated by the FBI deleted Signal, but some messages were still retrievable from the iPhone's notification database. The latest iOS update patches this vulnerability.

Users should reasonably expect that deleting an app from their iPhone will remove all associated data. However, a recent case involving the FBI showed that some notification data was being retained by mistake.

The iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 updates released on Wednesday address the notification database issue directly. The notes simply say that "a logging issue was addressed with improved data redaction."

A report from 404 Media shed light on the vulnerability on April 9. So, it didn't take long for Apple to patch the problem once it was made public.

The case in question was an important one for political talking points. It was the first time the designation "Antifa" was used against people in court.

A group of people were being charged with vandalizing property, setting off fireworks, and shooting a police officer in the neck. The event took place in July 2025.

The notification problem

During the testimony, the FBI agents shared that they were able to get evidence via notifications stored on the defendant's iPhone even though the Signal app had been deleted. It appears that this was able to occur because of a setting users could enable in the Signal app.

One person present for the trial shared the following statement with 404 Media:

"We learned that specifically on iPhones, if one's settings in the Signal app allow for message notifications and previews to show up on the Lock Screen, then the iPhone will internally store those notifications or message previews in the internal memory of the device."

It wasn't a particular problem with Signal, but how the iPhone was storing data in its notification database. Especially since those notifications should have been removed once dismissed from the Lock Screen, or at the least, when Signal was deleted.

The data wasn't obtained through normal means, but via a forensic tool used by the FBI. Think GrayKey or Cellebrite.

These tools utilize unpatched vulnerabilities that Apple may know about but haven't patched or don't know about at all. The tools extract what they are able to, though with iPhone, it is hit and miss depending on the device and iOS version.

In this case, it was able to extract the notification database and pull the messages that were received from Signal. Luckily, users no longer need to take any action, as that issue has been patched.

It just goes to show that there is no such thing as an impenetrable fortress. The iPhone may be quite the robust device in terms of security and privacy, but there are always bad actors looking for new ways to get around that.

Signal is still a great tool, so don't feel the need to rush off and find a new encrypted messaging service. Just remember that modern technology is mostly a black box, so you can't always be 100% certain that something is working as it should.

For the vast majority of the population, all you need is an iPhone that is up to date with the latest version of iOS, updated apps, and settings like Advanced Data Protection.