iPhone privacy suffered a blow that very few expected. The FBI managed to recover deleted Signal messages on an Apple device, and it wasn't by hacking the encryption or requesting access to the app's servers. The entry point was right where no one was looking: in the iOS notification history. What's most striking is that Apple had already released a patch to close that vulnerability, although without explicitly stating so.

FBI exploited an unknown vulnerability to hack an iPhone

It all came to light during a trial in the United States in April 2026. FBI Special Agent Clark Wiethorn testified how investigators recovered Signal messages from one of the defendants, even after the app had been deleted from the phone and the messages were set to self-destruct.

The key to the matter is that the FBI didn't need to break Signal's encryption or request anything from the company. Instead, they accessed iOS's internal push notification database, a file that Apple's operating system itself keeps completely separate from the application container.

In other words: Signal deleted the messages, but iOS continued to store them in its own notification storage.

The specific case involves a defendant accused of vandalizing ICE detention center facilities, shooting a police officer, and setting off fireworks, as reported by 404 Media. The phone had been surrendered, the app was uninstalled, and the messages were still accessible. A situation that, let's be honest, shouldn't be possible on one of the most secure phones in the world.

How the vulnerability worked step by step

To understand why this flaw is so relevant, you need to know how iOS handles push notifications. When someone sends you a message on Signal, the operating system has to decrypt it locally to be able to show you the preview on the lock screen, that text that says “John:See you at 8.”

Here's the problem:That decrypted content—the contact's name and the text snippet—is stored in an internal operating system cache. This cache exists outside the app's control. Signal can delete its own data down to the last byte, but the iOS cache remains intact.

The key points of how this vulnerability worked are as follows:

Signal, for its part, always offered an option to avoid this: in the app's settings, there's a "No Name, No Preview" setting that instructs the operating system not to store the actual message content in that cache. The problem is that most users never activate that option.

Apple's Patch and What You Should Do Now

Apple responded silently. In iOS 26.4, the company subtly modified how the system validates push notification tokens. Experts interpret this adjustment as a direct response to this case, although Apple didn't issue any official statement explaining exactly what changed or why.

Signal also did not make any formal statements.

This institutional silence contrasts sharply with the seriousness of the matter. Millions of people around the world use Signal precisely because they trust its privacy, and now they discover that iOS had an unintentional trap that could expose their conversations to forensic extraction.

If you use Signal or other encrypted messaging apps on iPhone, here are the steps you should take today:

What this case makes clear is that an app's security depends not only on the encryption of its messages, but also on how it interacts with the operating system. The weakest link wasn't in Signal, but in iOS. And for a period of time that no one knows exactly how long, that vulnerability remained open.