iOS Push Notification Database Leaks Signal Messages to Forensic Extraction

FBI forensic analysts pulled incoming Signal message content from a defendant’s iPhone even after the Signal app was deleted. The messages persisted in iOS’s push notification database, which caches notification payloads, including message previews, in device memory. With physical access and specialized extraction tooling, investigators recovered material users assumed was protected by end-to-end encryption.

The leak is not a break in Signal’s cryptography. It is a side-channel created by the operating system itself: when an app surfaces message previews on the lock screen, iOS stores that content locally. Signal ships a setting to suppress preview content in notifications, which prevents the OS from retaining the plaintext. Users who left previews enabled effectively handed the OS a plaintext log of their conversations.

The case underscores a recurring problem with secure messaging on general-purpose mobile platforms. Threat models that stop at the app boundary ignore OS-level caches, backups, and accessibility services that can retain decrypted content outside the app’s control. For high-risk users, disabling notification previews is not a cosmetic choice but a meaningful hardening step.