Forgot your password?
Close
typodupeerror
Privacy Bug Encryption Apple

Apple Stops Weirdly Storing Data That Let Cops Spy On Signal Chats (arstechnica.com) 34

Posted by BeauHD from the quick-fix dept.
Apple has fixed a bug that could cause parts of Signal notifications to remain stored on iPhones even after messages disappeared and the app was deleted. "Affected users concerned about push notifications can update their devices to stop what Apple characterized as 'notifications marked for deletion' that 'could be unexpectedly retained on the device,'" reports Ars Technica. "According to Apple, the push notifications should never have been stored, but a 'logging issue' failed to redact data." From the report: Vulnerable users hoping to evade law enforcement surveillance often use encrypted apps like Signal to communicate sensitive information. That's why users felt blindsided when 404 Media reported that Apple was unexpectedly storing push notifications displaying parts of encrypted messages for up to a month. This occurred even after the message was set to disappear and the app itself was deleted from the device.

404 Media flagged the issue after speaking to multiple people who attended a hearing where the FBI testified that it "was able to forensically extract copies of incoming Signal messages from a defendant's iPhone, even after the app was deleted, because copies of the content were saved in the device's push notification database." The shocking revelation came in a case that 404 Media noted was "the first time authorities charged people for alleged 'Antifa' activities after President Trump designated the umbrella term a terrorist organization." "We're grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue," Signal's post said. "It takes an ecosystem to preserve the fundamental human right to private communication."

In their post, Signal confirmed that after users update their devices, "no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications."

Apple Stops Weirdly Storing Data That Let Cops Spy On Signal Chats More | Reply

Apple Stops Weirdly Storing Data That Let Cops Spy On Signal Chats

Comments Filter:

  • Big picture problem (Score:5, Interesting)

    by FeelGood314 ( 2516288 ) on Thursday April 23, 2026 @07:35PM (#66109502)
    We see this architecture problem often. Data that shouldn't be stored is passed to some other process that doesn't know it isn't to be stored. Often it is with secrets, keys or the graphical display of a password. We see untrusted data scrubbed by one app to not do anything bad to that app but then the data or data derived from it is passed to another app that trusts it completely. Many of our systems are evolutions of years or decades of code piled on top of one another. What might have been an understandable architecture 15 years ago has likely morphed into a scrambled mess of data being passed around. Good for Apple to fix this since in many systems I've worked on this type of problem wouldn't have an owner or someone who would even take responsibility for fixing it.

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      It's a common problem with Apple. They just don't seem to have the privacy/security mindset when developing new features.

      Sometimes it's catastrophic, like AirTags.

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        Or it's just weird edge cases. Like having to display a notification for an app that no longer is on the device. It was stored for later display, then when it was reaped to display, the app no longer exists and it gets logged because it's likely an error that shouldn't occur because deleting the app should've cleared the notification queue of those messages. So it gets logged in the system log that something that shouldn't happen, happened.

        Of course, the other culprit is Signal itself, since it would be pas

        • Re: (Score:2)

          by _merlin ( 160982 )

          Signal gives you options to show no notification, only notify that a message was received, show the sender's name only, or show the message text. It warns you about security implications. The user has to make a decision to enable this.

    • Or, as Robert Morris Sr. said about breaking confidential communications, "Look for plaintext. It comes up in the darnedest place", or words to that effect.

  • Weirdly (Score:5, Interesting)

    by fahrbot-bot ( 874524 ) on Thursday April 23, 2026 @07:58PM (#66109516)

    Apple Stops Weirdly Storing Data That Let Cops Spy On Signal Chats

    So... now they're just storing it - non-weirdly? Not sure how that's better.

    Apple has fixed a bug that ...

    Oh, you meant, "incorrectly" or "unintentionally".

    (*sigh*)

  • Doesn't the App have to ask for notifications? That seems like an app flaw, intentionally turning over its data to operating system functionality it has no control over.

    Also I think apps have options for notifctions. They don't have to be previews of the communication. They could simply be a "bing" noise and a counter on the app icon indicating unread messages. The operating system never seeing communications content in the latter case.

    • Even non-preview notifications can be a compromise. Metadata, as usual.

      Let's say some malevolent agency got the unlocked phone of your friend, with messages (perhaps "let's meet at the docks at 9:00", "are you there" ...) sent to a Signal username at specific times.

      And then you have OS notifications "you have a Signal message" done at exactly that times + processing delay. That would be a bit revealing.

      • Good point, however processing delay is a time window, not an exact time. Now, unless there has only been exactly one message sent via Signal during said time window, how are you going to prove which one was the one received?

        Furthermore, it's easy to further obfuscate this by making the time window even longer, or adding a random delay. For example by only notifying every 5 minutes, or every hour - how many Signal messages worldwide are sent in one hour?

        • Re: (Score:2)

          by pereric ( 528017 )

          Yes, obfuscation may help a bit. Even if people probably want a notification within - perhaps 30s?

          And note that this isn't about Signal metadata, but from the Signal app to the OS. if you have the notifications for *single device* and they match the time stamps of a sender within 5 min, with no other notifications (if you only communicated with that sender), it may be indicative, even there is some p for it being a coincidence.

    • ^THIS, handing over private, sensitive information to a domain outside of your control should have showed up in even the simplest threat modeling. Doesn't Signal do any threat modeling?

    • Doesn't the App have to ask for notifications? That seems like an app flaw, intentionally turning over its data to operating system functionality it has no control over.

      The assumption was that any app notification would not be stored after than notification is gone. Something up on your screen at time "x" has a different risk profile than something that still exists on the system at time "x+y". It was a relatively good assumption as well given the operating system actually provides API level control over if a notification is sensitive or not (how much information is displayed when something is unlocked). There's no reason to not hand over data to a system you believe is ha

      • The assumption was that any app notification would not be stored after than notification is gone. Something up on your screen at time "x" has a different risk profile than something that still exists on the system at time "x+y". It was a relatively good assumption as well given the operating system actually provides API level control over if a notification is sensitive or not (how much information is displayed when something is unlocked). There's no reason to not hand over data to a system you believe is handling it correctly.

        I don't agree with this. The push notification is passed on to Apple systems. I don't think you can say it's necessarily an operating system system issue, because push notifications can hit multiple devices (watch, phone, ipad, laptop, etc.) on multiple operating systems. So notifications have to go through Apple servers.

        I think the question is whether you trust the Apple servers and all your various devices that are logged into your account.

        For extremely sensitive data, I would say no!

        I'm glad Apple is mak

      • Re: (Score:2)

        by drnb ( 2434720 )

        Doesn't the App have to ask for notifications? That seems like an app flaw, intentionally turning over its data to operating system functionality it has no control over.

        The assumption was that any app notification would not be stored after than notification is gone.

        And isn't that just the explanation for the mistake that Signal made? Again, they are turning over data to code they have no control over. Apple has a tendency to send message to all devices a user has. If you have Signal on your phone and your Mac, how is Apple handling the message? Historically deleting a message on one device does not necessarily delete it on the other device. Honestly, it's quite surprising that Signal trusted Apple in this regard. I would hope such an app would not use the operating sy

    • Re: (Score:2)

      by allo ( 1728082 )

      If you argue like "an app flaw, intentionally turning over its data to operating system functionality it has no control over" you may not run on any operation system you cannot fully trust. If you think iOS may log your messages, then you must also assume it interferes with how the app runs.

      • Re: (Score:2)

        by drnb ( 2434720 )

        If you argue like "an app flaw, intentionally turning over its data to operating system functionality it has no control over" you may not run on any operation system you cannot fully trust. If you think iOS may log your messages, then you must also assume it interferes with how the app runs.

        A notification to all of a users's devices associated with an Apple ID sounds like an entirely different level of potential risk than printing something on a screen. Keep in mind that the incoming data should have been encrypted and stayed that way until immediately before printing.

  • Shitty Extrapolation (Score:4, Insightful)

    by Petersko ( 564140 ) on Friday April 24, 2026 @04:30AM (#66109854)

    No, they are not "spying". They've seized the device and forensically extracted the notification text from internal logs. The point of spying is that those spied upon don't know you can see them. Now if they had snagged the device, installed a log capture and forward sniffer on it, and returned it without the user knowing, THAT would be spying.

    Between that shitty summary and the use of the word "weirdly", it's clearly just bait. Move along.

    If Signal really wanted to be properly sandboxed and secure, they wouldn't be dumping stuff into notifications... but that's a different complaint.

    • Speaking of forensics, if you're a law-abiding citizen who just wants to keep private information private, iOS lockdown mode will reported halt the Coruna forensics tool in its tracks. Source, Eva Galperin at EFF. It's a royal PITA to use though.

  • How about not putting sensitive data into notifications in the first place? Signal needs to decide if it's a security app or a trendy chat app.

    • Many users prefer to get these notifications, either one that tells them a message arrived, or even one displaying the message itself. Up to the user to show or disable them. Only problem is that not many people understand how notifications work, or that they are stored outside of the app data store.
  • > 404 Media flagged the issue after speaking to multiple people who attended a hearing where the FBI testified that it "was able to forensically extract copies of incoming Signal messages from a defendant's iPhone ..

  • In as much as ACAB, it's far more likely that ICE is tapping into things like that for their nefarious schemes. At least Apple seems to have stopped for the moment. I wonder what other chat and/or message systems they have their little worms running through.

  • A bit more nuanced than that (Score:4, Informative)

    by battingly ( 5065477 ) on Friday April 24, 2026 @10:18AM (#66110180)

    It's bug that shouldn't have existed in the first place and it deserved to be fixed. However, to get the message stored in the notification database, the user needed to change the default setting and allow messages to be displayed on the screen of a locked phone.

    If you've chosen to have messages displayed on the screen of a locked phone, you're basically saying you're not concerned about keeping the messages secure, so the user bears some responsibility here.

  • Why only the FBI? China does worse... (Score:1)

    by Anonymous Coward

    I find it amusing that Apple will go to great pains to fix their code when it is the FBI, but when the People's Police ask for stuff, it seems like Apple and others happily give it to them... and you NEVER hear about Apple working on privacy issues when it comes to law enforcement from China.

    It shows the US's LEOs are an easy target, because if that stuff is tried in another company, at best Apple would be banned. At worst, all offices would get raided, and officials and company officers disappeared.

Slashdot Top Deals

Organic chemistry is the chemistry of carbon compounds. Biochemistry is the study of carbon compounds that crawl. -- Mike Adams

Close