According to a new 404 Media report, the FBI succeeded in recovering deleted Signal messages from an iPhone by extracting data stored in the device's notification database. Here are the details.

Access to Notification History Despite Signal Deletion

According to 404 Media, in a case related to "a group of people setting off fireworks and damaging property" at the ICE Prairieland Detention Facility in Texas, the FBI managed to recover the content of Signal messages from a defendant's iPhone, even though Signal had been removed from the device:

One of the defendants was Lynette Sharp, who had previously pleaded guilty to providing material support to terrorists. On one day of the relevant trial, FBI Special Agent Clark Wiethorn testified about some evidence collected. The summary of exhibit number 158 published on the supporters' website stated, "Messages were recovered from Sharp's phone through Apple's internal notification storage - Signal had been removed, but incoming notifications were stored in internal memory. Only incoming messages were captured (no outgoing messages)."

404 Media notes that Signal's settings include an option that prevents the preview of the actual message content in notifications. However, it appears that the defendant did not enable this setting, which seems to have allowed the system to store the content in the database.

404 Media reached out to Signal and Apple, but both companies did not provide any explanation regarding how notifications are processed or stored.

So, how does this internal storage work?

Since there are very few technical details about the exact state of the defendant's iPhone, it is impossible to determine the exact method the FBI used to retrieve the information.

For example, there are many system states in which an iPhone can exist, each with its own security and data access restrictions; such as BFU (Before First Unlock), AFU (After First Unlock) mode.

Moreover, when the device is unlocked, security and data access can change even more dramatically, as the system assumes the user is present and grants broader access permissions to protected data.

In this case, iOS relies on these different states to securely store and cache a large amount of data locally in case the actual owner of the device needs it.

Another important factor to consider: The token used to send push notifications is not immediately invalidated when an app is deleted. And since the server does not know whether the app is still installed after the last sent notification, it may continue to send notifications, leaving it up to the iPhone to decide whether to display them.

Interestingly, Apple changed the method of validating push notification tokens in iOS 26.4. While it is impossible to determine whether this situation is a result of the case, the timing is notable.

Post by @_inside@mastodon.social View on Mastodon

Returning to the case, based on the statement that "messages were recovered from Sharp's phone through Apple's internal notification storage" in exhibit number 158, it is possible that the FBI extracted the information from a device backup.

In this case, there are many commercially available tools that could exploit iOS vulnerabilities to assist the FBI in accessing this information.

Follow this link to read 404 Media's original report related to this case.

Products Worth Checking on Amazon

  • David Pogue – 'Apple: The First 50 Years'
  • MacBook Neo
  • Logitech MX Master 4
  • AirPods Pro 3
  • AirTag (2nd Generation) – 4 Pack
  • Apple Watch Series 11
  • Wireless CarPlay Adapter