Apple fixes bug that cops used to extract deleted chat messages from iPhones
by cdrnsf on 4/22/2026, 8:27:31 PM
Comments
by: dlcarrier
This was a bug that left it cached on the device. Apple and Google have put themselves in the middle of most notifications, causing the contents to pass through their servers, which means that they are subject to all the standard warrantless wiretapping directly from governments, as well as third-party attacks on the infrastructure in place to support that monitoring.<p>If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.
4/22/2026, 9:14:46 PM
by: 6thbit
The "bug" discussed in the article is only part of the problem.<p>The main problem, which is notifications text is stored on a DB in the phone outside of signal, is not addressed. To avoid that you have to change your settings.<p>In this case, the defendant had deleted the signal app completely, and that likely internally marks those app's notifications for deletion from the DB, so the bug fixed here is that they were not removing notifications from the local database when the app that generated them was removed, now they do.<p><pre><code> Impact: Notifications marked for deletion could be unexpectedly retained on the device Description: A logging issue was addressed with improved data redaction. CVE-2026-28950 </code></pre> They classify this as "loggging issue" so it sounds like notifications were not actually in the database itself but ended up in some log.
4/22/2026, 9:15:35 PM
by: modeless
Oh, I was originally confused about this because I had thought the push notifications were end-to-end encrypted, so they couldn't be cached in readable form by the push notification service, and only decrypted by the app on device upon receiving the notification. But it seems like after the notification was decrypted by the app and shown to the user using OS APIs, the notification text was was then stored by the OS in some kind of notification history DB locally on the device?
4/22/2026, 9:03:10 PM
by: pixel_popping
In privacy circles, this was always known, as Google/Apple often sends notification content to their servers (which means that it bypass the App realm).<p>Some people talking about it (different but in the same scope of issue): <a href="https://blog.davidlibeau.fr/push-notifications-are-a-privacy-nightmare/" rel="nofollow">https://blog.davidlibeau.fr/push-notifications-are-a-privacy...</a>
4/22/2026, 9:04:38 PM
by: nxobject
Note that Signal offers the option to use generic “You’ve received messages” notifications - it’s good practice in general.
4/22/2026, 9:02:52 PM
by: varun_ch
This makes me wonder: Cellebrite makes tools for law enforcement to break into iPhones, likely exploiting weaknesses/vulnerabilities. Does Apple buy Cellebrite’s tools and reverse engineer them? Or would they not have a way of acquiring them legally?
4/22/2026, 9:45:19 PM
by: skrtskrt
It's not new that push notifications should be presumed to be insecure, with their content passing through - and probably persisted - outside the app sandbox and anything in control of in-app encryption.<p>Apple should have fixed this long ago (not that you can trust a closed system), but Signal should also have strong guardrails & warnings around allowing message content in push notifications.
4/22/2026, 10:07:30 PM
by: itopaloglu83
Thankfully Apple backported the fix the iOS 18 as well.
4/22/2026, 9:05:28 PM
by: lynndotpy
Heads up. They have released an iOS 18 update (good!) but, and please bear the caps:<p>UPDATING IOS WILL ENABLE AUTOMATIC UPDATES TO IOS 26.<p>(Bad!) This is a new shady tactic they're using trying to get iOS 18 users to install iOS 26.
4/22/2026, 10:06:02 PM
by: maerF0x0
Cat and Mouse, good. This is the adversarial setup that results in a better outcome for all.
4/22/2026, 9:08:46 PM
by: cubefox
It is completely unclear from this article whether this means Apple does no longer cache dismissed notifications somewhere.
4/22/2026, 10:08:56 PM
by: unethical_ban
I wonder if the same flaw exists on Android/GrapheneOS.
4/22/2026, 8:57:22 PM
by: tcfhgj
bug or backdoor?
4/22/2026, 9:34:21 PM