Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages

An iOS vulnerability allowed forensic recovery of Signal messages from iPhones where the app had been deleted — surfaced by an FBI extraction in a federal case, and now patched by Apple.

A newly patched vulnerability in Apple’s notification system allowed law enforcement to recover Signal messages from iPhones — even after the user had deleted the app. The flaw, fixed in this week’s iOS update, raises serious questions about what “deleted” really means on a modern smartphone.

What was wrong

The vulnerability, designated CVE-2026-28950, was a logging error in Apple’s Notification Services framework. Notifications that the operating system had flagged for deletion were unexpectedly retained on the device, accessible to forensic tools that knew where to look.

In Apple’s own advisory, the company described the issue bluntly: “Notifications marked for deletion could be unexpectedly retained on the device.” The fix — enhanced data redaction — was issued as part of iOS 26.4.2 and iPadOS 26.4.2, with parallel updates iOS 18.7.8 and iPadOS 18.7.8 for older devices.

How it came to light

The flaw was uncovered, indirectly, through a federal investigation. According to a report from 404 Media, FBI forensic specialists extracted copies of Signal messages from a suspect’s iPhone in a case involving an attack on the Prairieland ICE detention center facility. Signal had been deleted from the device — yet the messages, preserved in the push-notification database, were still recoverable.

Coverage from The Hacker News, which first reported on Apple’s patch, noted that the date the vulnerability was introduced into iOS is not publicly known, raising questions about how many earlier cases may have benefited from the same forensic technique.

Privacy implications

For users of end-to-end encrypted messengers, the assumption has long been that deleting the app removes the content. The Apple flaw breaks that assumption — and it does so quietly, in a system component most users will never think about.

The Electronic Frontier Foundation, commenting on the episode, pointed to a broader issue: notification metadata, far from being trivial, can be revealing.

“For most app notifications, there’s no simple way to easily figure out what metadata might be gleaned from a notification, or if the notification is unencrypted or not.”

— Electronic Frontier Foundation

Signal’s response

Signal acknowledged the patch publicly. “Once you install the patch, all inadvertently-preserved notifications will be deleted, and no forthcoming notifications will be preserved for deleted applications,” the messenger said via its official X account, praising Apple for moving quickly once the issue surfaced.

What users should do

Three concrete steps for iPhone users:

1. Update immediately. Settings → General → Software Update — install iOS 26.4.2 or iOS 18.7.8 depending on your device.
2. Limit Signal notification content. Open Signal → Profile → Notifications → Show, and select either “Name only” or “No name or message.” This prevents the message body from being captured by the notification system in the first place.
3. Apply the same logic to other secure apps. Any messenger that displays content in lock-screen notifications is potentially exposed by similar issues. Switching to “Name only” notifications across the board is a simple, low-cost privacy upgrade.

The bigger picture

This is the latest high-profile case in which “encrypted” or “deleted” data has proven less private than users assumed — and once again, the weak point was not the encryption itself, but the supporting infrastructure around it. As governments and forensic firms continue investing in mobile device extraction tools, more vulnerabilities of this shape are likely to surface.

This article will be updated if Apple, the FBI, or affected parties issue further comment.

---

This report draws on original reporting by Ravie Lakshmanan at The Hacker News (April 23, 2026) and earlier reporting by 404 Media on the FBI’s forensic extraction.