A recent article from 404 Media indicates that the FBI managed to retrieve deleted Signal messages from an iPhone by sourcing data held in the device’s notification database. Here are the specifics.
### Notification History Was Retrieved Even After Signal Was Uninstalled
As reported by 404 Media, evidence presented in a recent court case concerning individuals igniting fireworks and defacing property at the ICE Prairieland Detention Facility in Alvarado, Texas, demonstrated that the FBI could recover the contents of incoming Signal messages from a defendant’s iPhone, despite Signal being uninstalled from the device:
A defendant in the case was Lynette Sharp, who had earlier admitted to providing material assistance to terrorists. On a particular day during the trial, FBI Special Agent Clark Wiethorn provided testimony regarding some of the evidence collected. A summary of Exhibit 158 shared on a supporters’ website states, “Messages were retrieved from Sharp’s phone via Apple’s internal notification storage—though Signal had been uninstalled, incoming notifications remained in the internal memory. Only incoming messages were retrieved (no outgoing).”
As 404 Media points out, Signal includes settings that prevent the actual message content from appearing in notifications. Nonetheless, it seems the defendant did not activate that setting, which may have permitted the system to store the content in the database.
404 Media attempted to contact Signal and Apple, but neither company offered any commentary on the management or storage of notifications.
### But How Does This Internal Storage Function?
With minimal technical information about the specific condition of the defendant’s iPhone, it is evidently impossible to determine the exact technique the FBI employed to recover the data.
For example, an iPhone can exist in numerous system states, each with distinct security and data access limitations, such as BFU (Before First Unlock), AFU (After First Unlock) mode, etc.
Security and data access also shift significantly when the device is unlocked because the system presumes the user is present and grants access to a broader range of secured data.
That said, iOS retains and caches a considerable amount of data locally, relying on these various states to keep that information secure yet readily accessible should the device’s legitimate owner require it.
Another critical consideration: the token utilized for sending push notifications is not instantly invalidated when an app is deleted. Since the server lacks knowledge about whether the app remains installed after the last notification it dispatched, it may persist in sending notifications, leaving it to the iPhone to decide whether to show them.
Interestingly, Apple recently modified how iOS validates push notification tokens in iOS 26.4. While it is unclear if this change relates to this particular case, the timing is certainly noteworthy.
Returning to the case, according to Exhibit 158’s statement that the messages “were retrieved from Sharp’s phone through Apple’s internal notification storage,” it is plausible that the FBI acquired the information from a device backup.
In such circumstances, there are numerous commercially available tools for law enforcement that leverage iOS vulnerabilities to extract data that could aid the FBI in accessing this information.
To view 404 Media’s original coverage of this situation, follow this link.