Federal Bureau of Investigation Retrieved Signal Messages After App Deletion in Texas Case

A recent FBI case in Texas has shattered a common belief about private messaging. Investigators were able to retrieve incoming Signal messages from a suspect’s iPhone long after the user deleted the application.

The case involves a group of individuals who set off fireworks and caused property damage at the ICE Prairieland Detention Center in Alvarado, Texas, along with one individual shooting an officer in the neck.

The FBI did not break the Signal encryption, nor discover a vulnerability with the security of the app. The agency’s forensic specialists retrieved the data from an entirely different location on the iPhone than the app itself.

In this case, they pulled the data from Apple’s own stored notification file system. This discovery poses a challenge to what many people believe about disappearing messages or deleted apps.

The Electronic Frontier Foundation (EFF) has for some time provided warnings that encrypted apps do not control how the underlying operating system handles notifications. In addition, Signal says on their support pages that disabling notification previews is the only way to keep messages from showing up in the system log.

Incoming Messages Leave Traces, Outgoing Ones Do Not

Court testimony revealed a crucial detail – investigators only recovered incoming messages, not outgoing ones. This makes perfect sense when you understand how push notifications work on iPhones.

When someone sends you a Signal message, the app server pushes a notification to Apple’s infrastructure – Apple then delivers that notification to your device. If the notification content includes the message text, that text lands directly in the operating system’s notification database. The iPhone stores this data for features like lock screen previews and notification history.

Outgoing messages follow a different path. They travel directly from your device to the server. They never go through Apple’s push notification system. Therefore, they leave no equivalent trace in the system database.

The vulnerabilities in digital systems extend beyond messaging apps, a major tech supply chain breach involving Luxshare, a key Apple and Nvidia supplier, demonstrated how ransomware attacks can compromise sensitive corporate data, exposing the fact that even the most valuable technology companies are vulnerable when third-party partners are compromised.

This reflects the reasons the FBI could recover those incoming messages but not the outcoming messages which don’t pass through the Apple push notification system.

Furthermore, NIST provides a number of methods that detail how investigators may extract the notification database from an unlocked iPhone using forensic tools. In other words there would be no need to remove any encryption when using forensic tools.

iOS Stores Notification Data Even After App Removal

Many users believe that deleting an app erases all its data. The Texas case proves otherwise. iOS maintains structured databases for notifications that can persist long after an app disappears from the home screen.

When you receive a message, iOS decrypts it locally for display. The system then caches notification data for practical reasons, such as recovering the notification list after a reboot. These databases can remain on the device even after you uninstall Signal. Forensic tools can then extract fragments of those messages from system-level storage.

Security researcher Andrea Fortuna explains that one plausible recovery method involves a logical acquisition after the suspect unlocked the phone at least once. Investigators can then analyze an encrypted iTunes backup, which often contains rich system and app data, including notification databases. Tools like idevicebackup2 can extract these backups without modifying the device.

The key point is simple. Uninstalling Signal does not erase all traces of messages that once appeared on the screen. Fragments of those messages can remain embedded in the phone’s system storage, designed for convenience features like notification history.

Users Can Protect Themselves by Disabling Notification Previews

The Texas case does not mean Signal has a security flaw. Signal’s encryption remains completely intact. Operating systems store content sent as messages independent of the app in use. In fact, you could include other messaging applications – such as WhatsApp, Telegram, etc. – that utilize push notifications to have the same issue.

Users who want better privacy can take a simple step, disable notification previews on your lock screen. On an iPhone, go to Settings, then Notifications, then Signal, change the setting to show “Never” or “When Unlocked.” You can also select “Content Hidden” mode, which prevents readable message text from appearing in notifications at all.

According to the Center for Internet Security (CIS), disabling message previews on smartphones is a good way to enhance the security of your sensitive information and a good privacy practice. This simple setting prevents the operating system from storing readable message content in its notification database.

The FBI case delivers a clear warning, privacy can be on many levels. Also, digital encryption provides protection of data in transmission, but it is difficult to provide any protection of that data after it has been received.

There are many examples of messaging applications providing means to delete messages once they are stored in their database, however they have little or no ability to control the manner in which an operating system will store those notifications. Disappearance in an app does not guarantee disappearance from the phone.