A critical security vulnerability that allowed law enforcement to bypass end-to-end encryption has been addressed by Apple. A recent software update has patched a bug that enabled the FBI to recover deleted messages from the Signal app by accessing residual data within iPhone notifications.
The Vulnerability: How Encryption Was Bypassed
While Signal is renowned for its high-level end-to-end encryption, the security flaw did not reside within the Signal app itself, but rather within the iOS notification system.
When a user receives a message, the phone generates a push notification. In the case identified by investigators, even after a user deleted a message within the Signal app, the corresponding notification remained stored on the device’s system. Because these notifications often contain the plain-text content of the message to allow for quick reading, they acted as a “backdoor.”
By extracting these retained notifications, the FBI was able to reconstruct conversations that the user believed had been permanently erased.
The Fix: Apple’s Security Update
Apple has addressed this issue under the identifier CVE-2026-28950. While the company’s official security bulletin remains brief, it confirms that “notifications marked for deletion could be unexpectedly retained on the device.”
To ensure your device is protected, you should update to the following versions:
– iOS 26.4.2 (for iPhone)
– iPadOS 26.4.2 (for iPad)
– iOS 18.7.8 (for compatible models)
The patch ensures that once a notification is marked for deletion, the operating system properly purges the data, preventing it from being harvested later.
Proactive Privacy: How to Secure Your Notifications
Even with the patch, security experts recommend a “defense-in-depth” approach. Relying solely on OS-level deletions means your data is still briefly vulnerable during its lifecycle.
To maximize privacy, Signal users can prevent sensitive information from ever appearing in the system’s notification logs by adjusting their app settings:
- Open Signal.
- Navigate to Settings.
- Tap on Notifications.
- Select Notification Content.
- Choose No Name or Content.
By selecting this option, your phone will notify you that you have a new message, but it will not display the sender’s identity or the message text on the lock screen or in the notification center. This ensures that even if a device is seized, the notification logs remain useless to investigators.
Summary: Apple has patched a bug that allowed the FBI to read deleted Signal messages via lingering push notifications. While the update fixes the technical loophole, users can further enhance their privacy by disabling message previews in their Signal notification settings.
