Apple Patches iOS Flaw Exposing "Deleted" Signal Messages in FBI Investigation
Apple has released emergency security updates to fix a critical privacy flaw in iOS that allowed supposedly deleted notification data including message previews from encrypted apps like Signal to persist on iPhones and be recovered later. The vulnerability, patched in iOS 26.4.2 and iOS 18.7.8, was exploited by U.S. investigators to extract Signal messages from a suspect’s device without breaking encryption.
The issue came to light after a 404 Media report revealed that the FBI recovered Signal messages from an iPhone linked to a criminal case involving vandalism and an assault on a police officer at the ICE Prairieland Detention Facility in Alvarado, Texas, in July. Despite the Signal app being deleted from the device, investigators retrieved message previews from the iPhone’s notification database, which had retained the data due to a logging bug.
According to Apple’s security advisory, the flaw caused notifications marked for deletion to remain stored on the device, even after disappearing from the user interface. This could expose sensitive content, such as message text or login codes, from any app. The company addressed the issue with improved data redaction, ensuring deleted notifications are no longer recoverable.
Signal acknowledged the fix in a statement, confirming that no action is required from users beyond installing the iOS update. Once applied, the patch deletes inadvertently preserved notifications and prevents future retention of such data. The company praised Apple’s swift response, emphasizing the importance of ecosystem-wide efforts to protect private communications.
The incident underscores the risks of system-level data retention, even in encrypted messaging apps. While Signal’s end-to-end encryption remained intact, the flaw created a secondary record of conversations that persisted after deletion. Users are advised to update their devices to the latest iOS versions to mitigate the vulnerability.
Signal Messenger cybersecurity rating report: https://www.rankiteo.com/company/signal-messenger
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "SIGAPP1777020266",
"linkid": "signal-messenger, apple",
"type": "Vulnerability",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'iPhone users running vulnerable '
'iOS versions',
'industry': 'Technology / Consumer Electronics',
'location': 'Cupertino, California, USA',
'name': 'Apple',
'size': 'Large',
'type': 'Technology Company'},
{'customers_affected': 'Signal app users on vulnerable '
'iOS versions',
'industry': 'Technology / Communications',
'location': 'San Francisco, California, USA',
'name': 'Signal',
'size': 'Medium',
'type': 'Messaging App Provider'},
{'industry': 'Law Enforcement / Corrections',
'location': 'Alvarado, Texas, USA',
'name': 'ICE Prairieland Detention Facility',
'type': 'Government Facility'}],
'attack_vector': 'System-level logging bug',
'customer_advisories': 'Users were informed to install the latest iOS updates '
'to address the vulnerability.',
'data_breach': {'data_encryption': 'End-to-end encryption of Signal messages '
'remained intact',
'data_exfiltration': 'Recovered by FBI from a suspect’s '
'device',
'personally_identifiable_information': 'Potentially (via '
'message previews)',
'sensitivity_of_data': 'High (private communications, '
'potentially PII)',
'type_of_data_compromised': 'Notification data (message '
'previews, login codes)'},
'description': 'Apple has released emergency security updates to fix a '
'critical privacy flaw in iOS that allowed supposedly deleted '
'notification data including message previews from encrypted '
'apps like Signal to persist on iPhones and be recovered '
'later. The vulnerability was exploited by U.S. investigators '
'to extract Signal messages from a suspect’s device without '
'breaking encryption.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to Apple '
'and Signal due to privacy concerns',
'data_compromised': 'Signal message previews, sensitive '
'notification data',
'identity_theft_risk': 'Potential exposure of personally '
'identifiable information via message '
'previews',
'systems_affected': 'iPhones running vulnerable iOS versions'},
'investigation_status': 'Resolved (via patch)',
'lessons_learned': 'System-level data retention can create secondary records '
'of private communications, even in encrypted apps. '
'Ecosystem-wide collaboration is critical for privacy '
'protection.',
'motivation': 'Law enforcement investigation',
'post_incident_analysis': {'corrective_actions': 'Improved data redaction in '
'iOS updates to prevent '
'retention of deleted '
'notifications',
'root_causes': 'Logging bug in iOS causing '
'notification data to persist after '
'deletion'},
'recommendations': 'Users should update to the latest iOS versions (iOS '
'26.4.2 or iOS 18.7.8) to mitigate the vulnerability. '
'Companies should audit system-level logging for '
'unintended data retention.',
'references': [{'source': '404 Media'},
{'source': 'Apple Security Advisory'},
{'source': 'Signal Statement'}],
'response': {'communication_strategy': 'Security advisory from Apple, '
'statement from Signal',
'containment_measures': 'Emergency security updates (iOS 26.4.2 '
'and iOS 18.7.8)',
'remediation_measures': 'Improved data redaction to ensure '
'deleted notifications are no longer '
'recoverable'},
'stakeholder_advisories': 'Apple and Signal advised users to update their '
'devices.',
'threat_actor': 'FBI (for investigative purposes)',
'title': "Apple Patches iOS Flaw Exposing 'Deleted' Signal Messages in FBI "
'Investigation',
'type': 'Privacy Flaw / Data Retention Vulnerability',
'vulnerability_exploited': 'Notification data retention flaw in iOS'}