Apple patches iOS flaw the FBI used to read deleted Signal messages
If you use Signal and trust that deleting messages — or the app itself — means they're gone, Apple's latest security patch reveals why that assumption was wrong. iOS 26.4.2 and iPadOS 26.4.2, released April 22, fix CVE-2026-28950, a flaw in the system's notification services that allowed incoming message previews to linger in an internal database long after users thought they'd been erased.
The forensic workaround
Signal's end-to-end encryption wasn't broken. The problem sat one layer below the app: iOS generates a copy of incoming messages to display on the lock screen, and that preview was being stored in the NotificationCenter database far longer than necessary. Investigators didn't need to crack Signal — they just read what the operating system had already saved for them.
That's exactly what happened in a real case. 404 Media (original reporting) first detailed how FBI forensic specialists used commercial tools to pull those cached previews directly from a suspect's iPhone in the Texas Prairieland ICE case, tied to a July 2024 attack. The defendant had enabled disappearing messages and later deleted Signal entirely — neither action cleared the notification cache. Only incoming messages were recovered this way; outgoing messages are handled differently at the OS level.
Why the patch matters
Apple described the fix as an improvement to "data redaction mechanisms in the system database" — meaning the OS will now properly wipe message traces when they're no longer needed or when a user deletes them. As Engadget notes, the Electronic Frontier Foundation has long flagged that push notifications are vulnerable both in cloud routing and in local on-device storage — Apple has required a court order for notification data since 2023, but that didn't prevent physical device extraction using forensic tools.
Patches also landed for older devices: iOS 18.7.8 and iPadOS 18.7.8 cover the same vulnerability on hardware that can't run iOS 26.
What to do now
Update immediately — Settings > General > Software Update. Signal also offers a setting that stops message content from appearing in notifications at all: Settings > Notifications > Notification Content > "No Name or Content." Enabling that would have prevented caching in the first place. The broader lesson here is that a secure app running on a leaky OS is only as private as the weakest data store underneath it.
