GoKawiilApple fixed a security bug that made it possible for cops to access content from deleted Signal messages.
Vulnerable users hoping to evade law enforcement surveillance often use encrypted apps like Signal to communicate sensitive information. That’s why users felt blindsided when 404 Media reported that Apple was unexpectedly storing push notifications displaying parts of encrypted messages for up to a month. This occurred even after the message was set to disappear and the app itself was deleted from the device.
404 Media flagged the issue after speaking to multiple people who attended a hearing where the FBI testified that it “was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.” The shocking revelation came in a case that 404 Media noted was “the first time authorities charged people for alleged ‘Antifa’ activities after President Trump designated the umbrella term a terrorist organization.”
On Wednesday, Apple confirmed that it had fixed a bug allowing the FBI to access this content. Affected users concerned about push notifications can update their devices to stop what Apple characterized as “notifications marked for deletion” that “could be unexpectedly retained on the device.”
According to Apple, the push notifications should never have been stored, but a “logging issue” failed to redact data.
On Bluesky, Signal celebrated the update, saying it was “very happy” that Apple did not delay fixing the bug.
“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue,” Signal’s post said. “It takes an ecosystem to preserve the fundamental human right to private communication.”
In their post, Signal confirmed that after users update their devices, “no action is needed for this fix to protect Signal users on iOS.”