A recent FBI investigation has revealed that deleted messages from Signal can still be recovered from an iPhone—not a weakness in the app itself, but due to how Apple handles notification data internally.
During a federal trial tied to an incident at the Prairieland ICE Detention Facility in Texas, investigators were able to extract fragments of incoming Signal messages from a suspect’s iPhone. Notably, this data remained accessible even after the app had been removed from the device.
Notification Storage, Not Encryption was the Issue
The key detail is that these messages were not retrieved from Signal’s encrypted database. Instead, they were recovered from the iPhone’s internal notification system. When message previews are enabled, iOS stores snippets of incoming notifications, including message content, in a local device-based database.
This means that even if messages are set to disappear within Signal, or the app itself is deleted, traces of those communications may still persist on the device.
According to courtroom testimony from FBI Special Agent Clark Wiethorn, only incoming messages were recoverable through this method. Outgoing messages, which are not stored in the same way via notifications, were not captured.
Also Read: Apple Devices Become First Consumer Products Cleared for NATO Classified Data—But Questions Remain
How the Data Was Recovered
The extraction was made possible through forensic analysis—specifically, tools used when authorities have physical access to a device. These tools can scan system-level storage, including databases that are not typically visible to users.
In this case, the recovered data came from notification previews that had appeared on the lock screen. If those previews included message content, that information was silently archived by the operating system.
Legal representatives involved in the case confirmed that the visibility of notifications played a critical role. Simply put, if a message appeared on the lock screen, it may have been stored—even if it later “disappeared” inside the app.
A Platform-Level Concern
Security researchers and analysts have pointed out that this is not unique to Signal. Instead, it reflects a broader tension between privacy-focused apps and operating system behavior.
Any messaging app that allows notification previews could potentially expose limited message data through the same mechanism. The issue lies in how iOS manages and retains notification content, rather than how individual apps encrypt or delete messages.
Why Notification Settings Matter
Signal already provides users with options to limit what appears in notifications, including:
- Showing full message content
- Displaying only the sender’s name
- Hiding both name and message entirely
This case shows the importance of those settings. Disabling message previews can significantly reduce the amount of sensitive information stored outside the app’s encrypted environment.
How to Delete these Messages Permanently
If you are changing these notification settings now, chances are the messages for around a month will still remain saved in the backend on the device database. To completely and permanently get rid of it, Object-See Foundations Founder, Patrick Wardle, has a simple and freeware tool called, “AuRevoir“.
Wardle explains AuRevois to be “a simple app we first released in 2018 that dumps and removes Signal (or other messages) cached in macOS’s notification database.” Wardle, whose research is mainly focussed on various Apple operating systems has kept the tool free and open-source for maximum outreach.
The investigation was part of a case involving multiple defendants accused of vandalism and violence at the Prairieland ICE facility. One individual, Lynette Sharp, had data extracted from her phone that included these notification-based message remnants.
Authorities stated that the recovered material contributed to the evidence presented in court. Ultimately, all defendants in the trial were convicted on multiple charges.
