Key Findings

• FBI successfully recovered deleted Signal messages from an iPhone using Apple's notification database

• Messages were extracted even after the Signal app was completely uninstalled from the device

• Only incoming messages could be recovered, not outgoing ones, confirming data came from notification storage

• The vulnerability affects any messaging app that displays preview notifications, including WhatsApp and Telegram

• Users can disable message previews in iPhone and app settings to prevent this type of recovery

Background

The discovery emerged during a Texas court case involving defendant Lynette Sharp, who was charged in connection with an attack on a detention center in July 2025. When the case went to trial in April 2026, FBI Special Agent Clark Wiethorn revealed during testimony that investigators had accessed and recovered Sharp's deleted Signal messages from her iPhone. This exposed a significant privacy gap that exists between what users believe is deleted and what actually remains on their devices.

How the Notification Database Loophole Works

When a message arrives on an iPhone, the operating system generates a notification preview that appears on the lock screen or notification center. This preview is handled by iOS itself, not by the Signal app. Even if Signal later deletes the message from its own storage, the iPhone's operating system retains a copy of that notification preview in its own database. The FBI used Cellebrite, a forensic tool commonly deployed by law enforcement, to scan the seized device and extract these stored notification previews. The fact that only incoming messages were recovered confirms this data came directly from the phone's notification storage rather than from Signal's encrypted servers.

The Vulnerability Extends Beyond Signal

This security issue is not unique to Signal and represents a broader problem with how iOS handles message notifications. Any messaging app that displays preview text in notifications, including WhatsApp and Telegram, faces the same vulnerability. Even apps with strong end-to-end encryption can leave traces of their content in the phone's notification logs. Telegram's founder Pavel Durov recently criticized WhatsApp's security practices, claiming that despite its encryption marketing, the company reads user messages and shares them with third parties. The notification database vulnerability demonstrates that encryption strength alone cannot protect messages if the operating system itself is storing preview data.

How to Protect Your Messages

Users can prevent their iPhones from storing message previews by adjusting settings in two places. First, go to your iPhone's notification settings for Signal and change Show Previews to Never. Then open the Signal app itself, navigate to Settings, select Notifications, and choose Notification Content set to No Name or Content. After making these changes, your phone will still alert you when messages arrive, but it will not display or retain any message text. Without preview data stored on the device, forensic tools like Cellebrite have nothing to extract. The same protection method should be applied to WhatsApp, Telegram, and any other messaging app to ensure message content remains hidden from notification logs.

Sources

• https://hackread.com/fbi-recover-deleted-signal-messages-iphone-notifications/

• https://www.techtimes.com/articles/315787/20260410/deleted-doesnt-mean-gone-fbi-recovers-deleted-signal-messages-iphone-using-notification-data.htm

• https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messages/

• https://www.techspot.com/news/112021-fbi-recovers-suspect-deleted-signal-messages-through-saved.html