Apple ends data storage that let police access Signal chats
▼ Summary
– Apple fixed a security bug that allowed law enforcement to access deleted Signal messages from push notification logs.
– The bug caused push notifications with parts of encrypted messages to be stored on iPhones for up to a month, even after messages disappeared or the app was deleted.
– The FBI revealed the issue during a hearing, stating it could extract incoming Signal messages from a defendant’s iPhone from the push notification database.
– Apple confirmed the bug was due to a “logging issue” that failed to redact notifications marked for deletion, and a software update now stops this retention.
– Signal praised Apple for quickly fixing the bug, stating no further user action is needed to protect iOS users after the update.
Apple has quietly closed a security flaw that allowed law enforcement to recover content from deleted Signal messages stored in push notifications. The fix addresses a vulnerability that gave authorities a backdoor into communications that users believed were permanently erased.
People relying on encrypted messaging apps like Signal to shield sensitive conversations from surveillance were caught off guard when 404 Media reported that Apple was inadvertently retaining push notification data containing fragments of encrypted messages for as long as 30 days. This retention happened even after messages were set to auto-delete and the entire app had been removed from the device.
The issue came to light after 404 Media spoke with individuals who attended a court hearing where the FBI admitted it “was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.” That case marked what 404 Media described as “the first time authorities charged people for alleged ‘Antifa’ activities after President Trump designated the umbrella term a terrorist organization.”
On Wednesday, Apple confirmed it had patched the bug that enabled this forensic extraction. Users concerned about push notification security can update their devices to prevent what Apple described as “notifications marked for deletion” that “could be unexpectedly retained on the device.” The company explained that the notifications should never have been stored in the first place, but a “logging issue” failed to properly redact the data.
Signal responded on Bluesky, expressing enthusiasm over the swift resolution. “We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue,” the post read. “It takes an ecosystem to preserve the fundamental human right to private communication.”
Signal also confirmed that after updating, “no action is needed for this fix to protect Signal users on iOS.”
(Source: Ars Technica)
