Your iPhone Remembers Your Signal Messages Even After You Delete Them

The Prairieland case

In April 2026, the FBI extracted deleted Signal messages from the iPhone of Lynette Sharp, a volunteer with the Prairieland ICE Resistance Network. Sharp had used Signal's disappearing messages feature, setting messages to auto-delete after one week. She believed the conversations were gone. They were not.

Federal prosecutors presented the recovered messages as evidence in a case related to coordinating legal observer networks at ICE enforcement operations. The messages had been "deleted" within Signal for weeks before the phone was seized.

How the FBI did it

Signal's encryption was never broken. The Signal protocol remains secure. What the FBI exploited was a gap between Signal's app-level security and Apple's operating system behavior.

When a Signal message arrives on an iPhone, iOS processes the push notification and stores its content in a SQLite database managed by the operating system, not by Signal. This database lives at:

/var/mobile/Library/Notifications/

Signal can delete its own messages from its own app container. But Signal cannot delete notification records that iOS has already written to the system notification database. Those records persist independently of the app.

iOS stores notification content including:

• The sender's name or number
• A preview of the message text
• The timestamp
• The app that generated the notification

Even when Signal's disappearing messages feature deletes the message from the Signal app, the notification content remains in the iOS database until iOS itself purges it, which can take weeks or months.

Cellebrite does the rest

Once the phone was in AFU (After First Unlock) state, forensic tools like Cellebrite's UFED can extract the full iOS filesystem, including the notification database. The extraction process is straightforward:

1. Connect the seized iPhone to the Cellebrite UFED
2. Run a full filesystem extraction (requires AFU state)
3. Parse the notification SQLite databases
4. Filter for notifications from the Signal app
5. Reconstruct message content from cached notification text

The forensic examiner does not need to open Signal. They do not need the Signal PIN or registration lock. The messages are sitting in an iOS system database, outside of Signal's control.

The fix exists but nobody uses it

Signal provides a setting that prevents message content from appearing in iOS notifications. Navigate to:

Signal Settings > Notifications > Notification Content > No Name or Content

With this setting enabled, Signal notifications show only "New Message" with no sender name and no preview text. iOS stores the notification record, but the content field is empty. There is nothing for forensic tools to extract.

The problem: almost nobody changes this setting. Signal's default configuration shows sender name and message preview in notifications, because that is what users expect from a messaging app. The tradeoff between usability and forensic resistance is not obvious to most users.

What Signal says

Signal has acknowledged this limitation in their support documentation. Their position is clear: Signal protects messages in transit and at rest within the Signal app. Signal cannot control what the operating system does with notification content. This is an iOS behavior, not a Signal vulnerability.

The same issue exists on Android, where notification content is cached in the system notification log, though the specifics of storage and retention differ.

Disappearing messages are not forensic deletion

This case makes an important distinction clear. Signal's disappearing messages feature is designed for conversation hygiene, not forensic resistance. It deletes messages from the Signal app on both devices after a set time. It does not and cannot guarantee that no trace of the message exists anywhere on the device.

For true forensic resistance, you would need:

1. No Name or Content notification setting enabled
2. Disappearing messages turned on
3. A strong alphanumeric passcode (not biometrics alone)
4. iOS inactivity reboot protecting the phone if seized (iOS 18.1+)
5. An understanding that any unlocked phone is vulnerable regardless of what app you use

The bigger picture

The Prairieland case will likely appear in legal challenges across the country. Defense attorneys are already questioning whether extracting cached notification content from a third-party encrypted messenger requires a separate warrant beyond the device search warrant. The legal theory: users who chose encrypted disappearing messages had a reasonable expectation that the content was gone. iOS undermined that expectation without the user's knowledge.

The outcome of these challenges will shape how courts treat the gap between app-level encryption promises and operating system behavior for years to come.

What about other messaging apps?

The iOS notification caching issue is not unique to Signal. Every app that shows notification previews is affected. Here is what the FBI can actually get from each major messenger, based on a leaked FBI internal training document from December 2021:

Signal: Registration date and last connection date only. No message content from Signal's servers. But: iOS notification cache can contain incoming message previews if notification content is enabled.

WhatsApp: If the target has iCloud backup enabled, Apple will provide the iCloud backup which contains WhatsApp message history. WhatsApp can also provide subscriber info, blocked users, address book contacts, and "pen register" metadata (who messaged whom and when) in near-real-time with a court order.

iMessage: If the target has iCloud backup or Messages in iCloud enabled, Apple provides message content along with the encryption keys. Without cloud backup, Apple provides 25 days of iMessage lookup records (who the target tried to message).

Telegram: May provide IP address and phone number for confirmed terrorist investigations. No message content from standard chats. Secret chats are end-to-end encrypted and not stored server-side.

The key pattern: encryption protects messages in transit. The vulnerability is almost always at the endpoints. iCloud backups, iOS notification caches, and unlocked devices are where law enforcement actually gets content.

Step-by-step hardening guide

Signal

1. Settings > Notifications > Notification Content > No Name or Content (this is the critical one)
2. Settings > Privacy > Disappearing Messages > set a default timer (1 week or shorter)
3. Settings > Account > Registration Lock > Enable (prevents someone from re-registering your number)
4. Settings > Privacy > Screen Lock > Enable (requires biometric/PIN to open Signal)
5. Settings > Privacy > Screen Security > Enable (prevents screenshots and app switcher previews)

WhatsApp

1. Settings > Chats > Chat Backup > disable iCloud/Google Drive backup entirely (this is the #1 vulnerability)
2. Settings > Notifications > disable Show Preview on both iOS and Android
3. Settings > Privacy > Default Message Timer > set to 24 hours or 7 days
4. Settings > Account > Two-Step Verification > Enable

iMessage

1. Settings > Apple Account > iCloud > Messages > disable Messages in iCloud (this removes the cloud copy Apple can decrypt)
2. Settings > Notifications > Messages > Show Previews > Never
3. If you must use iCloud backup, enable Advanced Data Protection (Settings > Apple Account > iCloud > Advanced Data Protection) which end-to-end encrypts backups so Apple cannot decrypt them

General device hardening

1. Use a strong alphanumeric passcode, not a 4 or 6 digit PIN
2. Disable biometrics before any encounter with law enforcement (hold power + volume on iPhone to trigger Emergency SOS, which disables Face ID)
3. Keep your phone updated (iOS inactivity reboot protects seized devices on iOS 18.1+)
4. Understand that any unlocked device is fully accessible regardless of what apps you use

Sources

1. 404 Media, "FBI Extracts Suspect's Deleted Signal Messages Saved in iPhone Notification Database" (April 2026)
2. 9to5Mac, "FBI Used iPhone Notification Data to Retrieve Deleted Signal Messages" (April 2026)
3. Malwarebytes Labs, "Here's What Data the FBI Can Get From WhatsApp, iMessage, Signal, Telegram, and More" (December 2021)
4. Andrea Fortuna, "Signal, FBI, iPhone Notifications & Forensics" (April 2026)
5. SecurityAffairs, "iPhone Forensics Expose Signal Messages After App Removal" (April 2026)
6. The Forensic Scooter, "iOS KnowledgeC.db Notifications" (October 2021)
7. CyberInsider, "FBI Retrieved Deleted Signal Messages from iPhone Notification Database" (April 2026)
8. Digital Trends, "The FBI Just Cracked Open Signal Texts on an iPhone. Here's How to Lock Yours Down" (April 2026)