Apple has fixed a critical bug in iOS that allowed push notifications from the Signal messaging app to linger on iPhones and iPads, even after users deleted the app and its disappearing messages. This flaw enabled law enforcement agencies, including the FBI, to extract fragments of private chats using forensic tools, undermining the app's strong encryption. According to reports from Ars Technica and TechCrunch, the issue stemmed from a logging problem where notifications marked for deletion were unexpectedly retained in the device's database for up to a month.
The vulnerability came to light through investigations by 404 Media, which detailed how the FBI forensically pulled copies of incoming Signal messages from a defendant's iPhone during a hearing. Even though the messages had auto-deleted within Signal and the app itself was removed, previews shown in push notifications remained stored on the device. Signal President Meredith Whittaker highlighted the severity, stating on Bluesky that "notifications for deleted messages shouldn’t remain in any OS notification database." Apple classified it as CVE-2026-28950, describing it as a logging issue addressed through improved data redaction.
Signal expressed relief over the rapid response, with the company posting that it was "very happy Apple fixed" the bug. After users update their devices—no further action required—the patch automatically deletes any preserved notifications and prevents future retention for deleted apps. Apple backported the fix to older iOS 18 versions, ensuring broad protection across compatible iPhones and iPads. As Ars Technica noted, this ensures "no forthcoming notifications will be preserved for deleted applications."
This matters deeply for privacy-conscious users, such as activists, journalists, and others relying on Signal's end-to-end encryption to evade surveillance. The app is popular for secure communication, yet the bug exposed how operating system quirks could betray user intent. Law enforcement's ability to access this data has led to real-world cases, including arrests, prompting experts to recommend tweaking notification settings to show only alerts without message previews or sender details.
Looking ahead, affected users should update their devices immediately to iOS versions incorporating the fix, released as early as Wednesday. While Apple has not detailed why the notifications were logged initially, the resolution underscores ongoing tensions between device security and forensic access. Signal emphasized that preserving private communication requires cooperation across the tech ecosystem, a point echoed in community discussions on platforms like Hacker News. For now, the patch restores trust, but it serves as a reminder that even encrypted apps depend on the underlying OS for full protection.