FBI Cracked Signal Privacy Using a Hidden iPhone Database

FBI forensically pulled deleted Signal messages from an iPhone’s push notification database in a terrorism trial, exposing a flaw iOS users didn’t know existed.

The FBI pulled off something most Signal users thought was impossible. Agents forensically recovered deleted Signal messages from a defendant’s iPhone — not from the app itself, but from a hidden corner of iOS that quietly stores push notification data, according to a 404 Media report citing multiple witnesses present during FBI testimony.

The case involved a group accused of vandalizing the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one person shooting a police officer in the neck. It also marked the first prosecution under President Trump’s designation of “Antifa” as a terrorist organization. Signal had already been deleted from the device. Didn’t matter.

What the FBI Found Sitting in Plain Sight

The push notification database on iPhones stores incoming message content for up to one month. Every messaging app that sends notifications is affected. As IntCyberDigest noted on X, “notification storage stores data from all messaging apps — it’s a big flaw in iOS.”

That flaw is what agents exploited. Specialized forensic software, run with physical access to the device, pulled the message content directly from that database. Signal does have a setting that blocks content from appearing in push notifications. The defendant apparently had not turned it on.

IntCyberDigest also confirmed on X that there is a way to disable this storage. Most users have no idea it exists.

Durov Points Back to 2013

Pavel Durov did not stay quiet. The Telegram CEO responded directly to the FBI story on X at @durov, writing that Telegram Secret Chats have never shown message content in push notifications — and that this design choice dates to 2013. He called Secret Chats “the most secure usable way to communicate” and went further, questioning Signal’s infrastructure.

Durov said the US government-funded Signal carries “too many questionable dependencies on other US companies” — naming AWS, Microsoft, and Intel SGX specifically. His post framed Telegram’s approach as a deliberate architectural decision, not an afterthought.

Durov has been vocal on surveillance and government reach before. He left France earlier this year under modified judicial supervision following his August 2024 arrest over allegations tied to Telegram’s content moderation practices.

What This Means for Signal Users

Signal’s end-to-end encryption itself was not broken. The messages were not intercepted in transit. They were sitting in a separate iOS system that handles notifications — a database outside Signal’s control unless users manually disable notification previews.

The feature to block message content from push notifications exists in Signal’s settings. It just isn’t on by default. And the broader context of Durov’s recent moves against government surveillance pressure suggests this gap between design and default settings is exactly the kind of thing that gets people caught.

The Texas case is a first. But the forensic method it exposed has been available to law enforcement for some time. Users who assumed deletion meant erasure just found out otherwise.