The privacy of the iPhone took a blow that very few expected. The FBI managed to recover deleted Signal messages on an Apple deviceand it was not by hacking the encryption or asking for access to the application’s servers. The front door was right where no one was looking: in the iOS notification history. The most striking thing is that Apple has already released a patch to close that gap, although without saying so openly.
FBI exploited an unknown vulnerability to hack an iPhone
It all came to light during a trial in the United States in April 2026. FBI Special Agent Clark Wiethorn testified how investigators they recovered Signal messages of one of the defendants, even after the app had been deleted from the phone and the messages were set to self-destruct.
The key to the matter is that The FBI did not need to break Signal’s encryption or ask the company for anything. Instead, he agreed to the deplorable internal iOS push notification dataa file that Apple’s own operating system maintains completely separate from the application container. In other words: Signal deleted the messages, but iOS continued saving them in its own notification storage.
The specific case involves a defendant for vandalizing facilities at the ICE detention center, shooting at a police officer and launching fireworks, as reported by 404 Media. The phone had been delivered, the app was uninstalled and the messages were still accessible. A situation that, let’s be honest, should not be possible on one of the most secure phones in the world.
This is how the vulnerability worked step by step
To understand why this bug is so relevant, you have to know how iOS handles push notifications. When someone sends you a message on Signal, the operating system has to decrypt it locally in order to show you the preview on the lock screen, that text that says “John: See you at 8.”
Here is the problem: That decrypted content—the contact name and the text fragment—is stored in an internal cache of the operating system.. That cache exists outside of the app’s keep an eye on. Signal can delete its own data down to the last byte, but the iOS cache is still intact.
The key points of how this vulnerability worked are the following:
- The system stored the complete content of the message in the notification data table, as long as previews were activated
- It only affected received messagesnot those sent, because push notifications are only generated on the recipient’s device
- The FBI would have used commercial forensic tools to extract data from that deplorable internal data pile, according to cybersecurity experts
- The app could be completely uninstalled and the messages were still accessible in that system cache
- It is not a remotely exploitable computer virusbut a behavior inherent to how iOS handles notifications, which makes it even more interesting from a forensic point of view
Signal, for its part, always offered an option to avoid this: in the app settings, there is the configuration “No name, no preview” which instructs the operating system not to store the right content of messages in that cache. The problem is that most users never activate that option.
The Apple patch and what you should do now
Apple responded without saying anything. In iOS 26.4, the company subtly changed the way the system validates push notification tokens. Experts interpret this adjustment as a direct response to this case, although Apple did not issue an official statement explaining exactly what changed or why. Signal also did not make any formal statements.
This institutional silence contrasts with the seriousness of the matter. Millions of people around the world use Signal precisely because they trust their privacyand now they discover that iOS had an inadvertent trap that could expose their conversations to forensic extraction.
If you use Signal or other encrypted messaging apps on iPhone, these are the steps you should take today:
- Update to iOS 26.4 or higher to make sure the patch is applied to your device
- Turn off previews in Signal notifications: go to Settings > Notifications > Signal and select “Hide content”
- Within the Signal app itselfactivate the option “No name, no preview” in notification settings
- Activate ephemeral messages in your most sensitive conversations as an additional layer of protection
What this case makes clear is that The security of an app depends not only on the encryption of its messages, but also on how it interacts with the operating system. The weakest link was not in Signal, but in iOS. And for a time that no one knows exactly how long it lasted, that window was open.
Keep reading:
• Haven’t updated to iOS 26.2 yet? Know all the improvements that your iPhone will receive
• Apple released a surprise iOS 18 update that you should install right now
• Google Alert: the critical security flaw that exposes older iPhones
