Apple released a software update on Wednesday fixing a security vulnerability that allowed law enforcement to extract deleted messages from iPhones and iPads, the company announced in April 2026.
The bug caused notifications containing message content to be cached on devices for up to a month, even after users deleted the messages from their messaging apps. According to Apple’s security notice, “notifications marked for deletion could be unexpectedly retained on the device.”
The issue came to light earlier this month when 404 Media reported that the FBI had successfully extracted deleted Signal messages from an iPhone using forensic tools. The messages were recoverable because their content had been displayed in notifications and stored in the phone’s database, despite being deleted within the Signal app.
Following the revelation, Signal president Meredith Whittaker said the messaging app maker requested Apple address the problem. “Notifications for deleted messages shouldn’t remain in any OS notification database,” Whittaker wrote on Bluesky.
Apple did not respond to requests for comment about why notifications were being retained in the first place, though the software fix suggests it was an unintended bug rather than a design choice. The company also backported the patch to devices running the older iOS 18 software.
The vulnerability raised concerns among privacy activists because it undermined a key security feature used by at-risk individuals. Apps like Signal and WhatsApp offer auto-delete timers that remove messages after a set period, helping users keep conversations private if authorities seize their devices. The bug effectively bypassed this protection, allowing deleted message content to remain accessible through the notification system.
Source: TechCrunch