Signal’s disappearing messages weren’t fully disappearing. When a message arrived on your iPhone, iOS stored the notification content in an internal database — and that database held onto the text for up to a month after you deleted the message inside Signal. The FBI ran forensic tools on someone’s iPhone and extracted Signal message content that the app’s auto-delete timer had supposedly erased. Apple has now patched the bug, according to TechCrunch.
Apple’s security notice described it as: “notifications marked for deletion could be unexpectedly retained on the device.” What that means in practice: Signal’s auto-delete feature — which lets users set timers on messages, a critical tool for journalists, activists, and anyone who fears device seizure — was only deleting the message from Signal’s own storage. iOS was keeping a shadow copy in the notification cache the whole time.
Signal president Meredith Whittaker called Apple out on: “Notifications for deleted messages shouldn’t remain in any OS notification database.” Apple backported the fix to iOS 18, so you don’t have to be on the latest release to get it. If you use Signal’s disappearing messages feature and haven’t updated recently, now is the time.
Previously:
Leave a comment