Apple Patches iOS Flaw That Let FBI Retrieve Deleted Signal Messages via Push Notification Database

Apple has released a security patch addressing a critical vulnerability that allowed law enforcement, including the FBI, to access deleted Signal messages through the iOS push notification system—even after the app was uninstalled and disappearing messages were enabled. The flaw, detailed in Apple's security advisory released Wednesday, caused notifications marked for deletion to be unexpectedly retained on the device, bypassing Signal's end-to-end encryption protections.

Signal, the encrypted messaging app used by journalists, activists, and privacy-conscious users globally, confirmed on social media platform X that the issue had been resolved. "Apple's advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release," the company stated. The vulnerability specifically exploited Apple's push notification infrastructure, creating a backdoor to message metadata and content that Signal's own encryption was never designed to protect against an operating system-level compromise.

The incident highlights a persistent tension in mobile security: end-to-end encryption, while robust between users, cannot fully shield communications when the underlying device or OS contains exploitable weaknesses. Security researchers have long warned that encrypted messaging apps operate within a trust boundary defined by the hardware and software stack beneath them. For investigators and state actors, this case underscores that accessing encrypted conversations does not always require breaking the encryption itself—only finding a flaw in how messages are handled at the system level before or after encryption takes effect.