How the FBI Extracted Deleted Signal Messages From a Defendant's iPhone

Signal’s reputation for strong end‑to‑end encryption has made it a go‑to app for privacy‑conscious users, but the FBI’s recent extraction of deleted messages underscores a hidden vulnerability in iOS. While the app encrypts messages in transit, iOS still caches notification previews for lock‑screen display. Those previews are written to a system database that persists even after the app is removed, allowing investigators to retrieve incoming messages without needing the decryption keys.

The technical nuance lies in iOS’s notification architecture: any app granted permission to show alerts stores a copy of the preview in the Notification Center until the user dismisses it. This behavior is not unique to Signal; messaging, email, and even news apps expose snippets of content. Forensic analysts can query the notification database to reconstruct a user’s recent communications, creating a powerful tool for law‑enforcement but also a potential vector for attackers who gain physical or remote access to a locked device. The case involving vandalism at an ICE detention facility illustrates how such data can become pivotal evidence.

For users and organizations, the takeaway is to adjust notification settings to limit data exposure. Signal offers a "No Name or Content" option that replaces message previews with generic alerts, effectively sealing the leak point. More broadly, the incident prompts a reevaluation of mobile security policies, encouraging the adoption of device‑level encryption, regular notification clearing, and awareness of how system‑level caches can undermine application‑level privacy guarantees.