The FBI was able to read a suspect’s Signal messages this week after pulling them from an iPhone’s push notification database, even though the user had deleted the app, according to a report from 404 Media. The messages had been sent through an app long prized by privacy-minded users for end-to-end encryption and disappearing chats.
That matters because Signal messages are supposed to be readable only by the sender and receiver, and they vanish over time to leave as little trace as possible. But if a message shows up in a push notification, a third party can read it, and that gap is not unique to Signal. It applies to any app that uses push notifications.
The case also points to a limit in the way encrypted messaging is often understood. The protection covers what is stored and transmitted inside the app, but not necessarily what appears on a phone’s lock screen or in a notification feed. In this instance, investigators reportedly relied on the notification database on the iPhone after the app itself was gone.
Signal has an internal setting meant to reduce that exposure. Users can tap their profile picture in the top left corner, go to Settings, then Notification, then Notification Content, and choose No Name or Content to stop push notifications from showing specific message information. The notification will still arrive, but the user has to open the app to see what was sent.
For people who use Signal to keep messages private, that distinction now matters more than ever. The encryption may still be strong, but a phone’s notifications can quietly preserve the one thing the app is designed to hide.
