The FBI Can Read Your Deleted Signal Messages — Thanks to iPhone Notifications

You use Signal because it’s the gold standard of encrypted messaging. Security researchers recommend it. Privacy advocates swear by it. But the FBI has been recovering deleted Signal messages from iPhones — not by breaking encryption, but by exploiting a gap that Apple’s own notification system leaves wide open.

End-to-End Encryption Has an Endpoint Problem

End-to-end encryption does exactly what it promises: your message is encrypted on your device and only decrypted on the recipient’s device. No one in the middle — not Signal’s servers, not your ISP, not a three-letter agency — can read it in transit.

The critical word there is “in transit.” Once a message lands on your phone and gets decrypted for you to read, it’s no longer protected by E2EE. What happens to that plaintext data is entirely up to your operating system. And iOS has been doing something most users never think about.

Your iPhone Keeps Receipts

When a push notification arrives on iOS, the system logs its content at the OS level. That lock screen preview showing the first few words of your Signal message? iOS writes that to an internal database.

Here’s the problem: that notification log is outside Signal’s jurisdiction. You can delete a message in Signal. You can set disappearing messages to auto-destruct after 30 seconds. None of that touches the iOS notification database. Signal’s developers simply have no access to it — Apple doesn’t give third-party apps that kind of system-level control.

The FBI used forensic tools to access this notification data, successfully recovering the contents of Signal messages that users had already deleted. They didn’t crack encryption. They walked around it.

“Deleted” Doesn’t Mean What You Think

This is a broader truth about digital devices that most people misunderstand. When you delete something on a phone or computer, the OS typically just marks that storage space as available for reuse. The actual data sits there until something else overwrites it.

Law enforcement agencies use tools like Cellebrite and GrayKey — forensic platforms that can scan a device’s file system at a low level and extract deleted data, cached files, temporary storage, and yes, notification logs. If the data ever existed in plaintext on your device, these tools can likely find it. Signal’s encryption protocol is irrelevant at that point. The message already arrived and was decrypted. The horse left the barn.

What You Can Actually Do About This

There are partial mitigations, though none are perfect.

Disable notification previews. In Signal’s settings (or in iOS Settings > Notifications > Signal), switch to showing only “Signal Message” without any content. This reduces what gets logged in the notification database, though it may not eliminate metadata entirely.

Enable Lockdown Mode. Apple’s Lockdown Mode, introduced in iOS 16, significantly reduces the device’s attack surface. It disables various features that forensic tools exploit. The trade-off is real, though — it breaks enough everyday functionality that most people won’t tolerate it as a daily driver.

The fundamental limitation is architectural. App developers cannot fully control how the operating system handles data. Until Apple changes how its notification system retains data, this blind spot will persist.

The Bigger Picture: Encryption’s Recurring Paradox

This isn’t a Signal-specific vulnerability. It’s a structural issue affecting every encrypted messenger on iOS. WhatsApp, iMessage — any app that sends notification previews is potentially exposed through the same path.

The tension here is the same one that’s been simmering since Apple and the FBI clashed over the San Bernardino shooter’s iPhone in 2016. Apple refused to build a backdoor into iOS encryption. The FBI eventually found another way in. This notification loophole is just the latest example of the same pattern: law enforcement doesn’t need to break the front door if there’s a window left open.

End-to-end encryption remains the strongest tool available for digital privacy. But “I use Signal” is not a security policy. Real security means understanding the entire system — not just the app, but the OS underneath it, the hardware it runs on, and every place your data touches along the way. It might be worth checking your notification settings right about now.