FBI Retrieve Deleted Signal Messages 2026
Published: April 10, 2026 | Breaking security news. Verified against 404 Media’s original court reporting and public trial testimony.
What Happened — The Short Version
On April 9, 2026, investigative outlet 404 Media published testimony from a federal terrorism trial showing that the FBI recovered incoming Signal messages from a defendant’s iPhone even after Signal had been deleted from the device and the messages had been set to automatically disappear.
The method did not involve cracking Signal’s encryption. It did not require a backdoor. It exploited a routine iOS behavior that most users don’t know exists: when message previews are enabled on your lock screen, iOS stores a copy of incoming notification content in an internal database — and that database persists even after you delete the app.
The fix takes under 60 seconds. It’s a setting change inside Signal. We’ll walk you through it.
The Case: What the FBI Actually Found
The disclosure emerged during the federal terrorism trial of nine defendants charged in connection with the July 4, 2025 assault on the ICE Prairieland Detention Facility in Alvarado, Texas. Prosecutors alleged the group set off fireworks, vandalized property, and that one individual shot an Alvarado police officer in the neck. The trial is being heard in U.S. District Court in Fort Worth.
One defendant, Lynette Sharp, 57, had already pleaded guilty in November 2025 to one count of providing material support to terrorists, with a 15-year maximum sentence. She agreed to cooperate with prosecutors.
On March 10, 2026 — the twelfth day of trial — FBI Special Agent Clark Wiethorn testified about forensic evidence collected from Sharp’s iPhone. He described what is now labeled Exhibit 158.
A summary published by a group supporting the defendants describes the finding in plain terms:
“Messages were recovered from Sharp’s phone through Apple’s internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).”
Defense attorney Harmony Schuerman was present for the testimony and independently confirmed the account to 404 Media reporter Joseph Cox, whose original report broke the story on April 9, 2026.
The Technical Mechanism: Why This Happened
This section is the most important part of this article. Understanding the mechanism is the only way to protect yourself against it.
How iOS handles push notifications
When a messaging app like Signal delivers a message to your iPhone, the process works like this:
- The sender’s Signal app encrypts the message using Signal’s end-to-end encryption protocol.
- The encrypted message travels through Signal’s servers to Apple’s Push Notification Service (APNs).
- Apple’s APNs delivers the notification to your device.
- Signal’s app receives the notification and decrypts it locally using a background extension — specifically, a
UNNotificationServiceExtensionthat runs on the device. - iOS then stores the decrypted notification content in an internal push notification database so it can display the preview on your lock screen or notification shade.
Steps 1 through 4 are governed by Signal’s encryption, which remains intact and was not compromised in this case. Step 5 is governed by iOS — and it happens automatically, regardless of what Signal does, as long as message previews are enabled.
Why the database survives app deletion
When you delete Signal, iOS removes the app, its data container, and its encryption keys. What it does not automatically remove is the notification database entry — because that database is owned and managed by iOS itself, not by individual apps. The push notification token associated with Signal is also not immediately invalidated upon deletion.
The result: a forensic copy of any incoming message that arrived as a notification preview exists in iOS’s internal storage, independent of Signal’s own encrypted data store. It persists after deletion. It persists after the disappearing message timer fires. It persists as long as the iOS notification database entry is not explicitly cleared.
As developer and researcher Michael Tsai noted: “iOS should probably delete an app’s entries from the notifications database when said app is deleted.” As of iOS in April 2026, it does not.
What was actually recovered — and what wasn’t
Only incoming messages were found. Outgoing messages sent from Sharp’s device were not recovered via this method — those are encrypted and stored within Signal’s data container, which was gone once the app was deleted.
The recovered messages had also been configured as disappearing messages within Signal — meaning Signal’s own timer had already deleted them from within the app. The notification database copy was immune to Signal’s internal deletion mechanism because it lived outside Signal’s data container.
This is not a flaw in Signal’s encryption
Signal’s end-to-end encryption protocol is not broken. The cryptography did what it was supposed to do. The vulnerability exists entirely in how iOS handles the convenience feature of lock screen notification previews, not in anything Signal did or failed to do.
Signal does provide a setting to prevent message content from appearing in notifications at all. The defendant did not have that setting enabled. That single default — left at the factory setting — allowed iOS to cache plaintext message content outside of Signal’s encrypted environment.
The Fix: One Setting, 30 Seconds
There are two places to close this exposure. Do both if you use Signal for anything sensitive.
Fix 1 — Inside Signal (the most targeted approach)
This prevents Signal specifically from sending message content to the iOS notification system in the first place. It is the most precise fix because it targets the specific data that was exploited.
On iPhone (iOS):
- Open Signal
- Tap your profile icon (top left)
- Tap Notifications
- Under Notification Content, tap Show
- Select No Name or Message
With this setting enabled, Signal will still alert you that a notification arrived — but it will not include the sender’s name or message content in the preview. iOS will therefore have nothing meaningful to store in its notification database.
On Android:
- Open Signal
- Tap the three-dot menu → Settings
- Tap Notifications
- Under Show, select No Name or Message
Fix 2 — iOS-level notification previews (system-wide protection)
This disables notification content previews across all apps, not just Signal. It is more thorough but applies universally.
On iPhone:
- Open the Settings app
- Tap Notifications
- Tap Show Previews
- Select When Unlocked or Never
When Unlocked means notification content is only shown (and stored for display) after you have authenticated with Face ID, Touch ID, or your passcode. Never is the most secure option and means iOS will not store message preview content at all.
Which fix should you use?
| Setting | Protection level | Convenience trade-off |
|---|---|---|
| Signal: No Name or Message | ✅ Blocks Signal message content from iOS notification DB | Notifications show only “Signal” — no preview |
| iOS: Show Previews → Never | ✅ Blocks all apps’ content from notification DB | No previews from any app |
| iOS: Show Previews → When Unlocked | ⚠️ Partial — content stored after first unlock | Previews visible after authentication |
| No change | ❌ Current default — vulnerable | Full convenience |
For most users, the Signal in-app setting is the right balance: it closes the specific exposure without affecting other apps. For users with elevated privacy concerns — journalists, lawyers, executives, anyone whose communications are potentially subject to legal process — both fixes applied together is the correct configuration.
What This Means for Everyone Who Uses Signal
Signal’s encryption is intact — but “encrypted app” doesn’t mean “no data leaves the app”
This case is a useful corrective to a common misconception about how encrypted messaging works in practice. End-to-end encryption protects the transmission of messages between devices. It does not govern what the operating system does with the content of those messages once they arrive on the device and are decrypted for display.
When you enable lock screen previews for any messaging app, you are implicitly instructing iOS to make a convenience copy of incoming message content in a location it controls. That copy is outside the app’s encrypted environment. It is accessible to forensic tools that have physical access to the device.
This is not unique to Signal. WhatsApp, Telegram, iMessage, and any other app with notification previews enabled is subject to the same behavior. The reason Signal is the focus here is that Signal users tend to be users who specifically care about message confidentiality — and the gap between their privacy expectations and their default settings turns out to be significant.
The physical access requirement matters
The forensic technique used in this case requires physical access to the device and the ability to run specialized extraction software on it. This is not a remote exploit. It is not a network-level attack. It cannot be used against you unless law enforcement or another party physically possesses your iPhone and can unlock it or has tools to bypass device encryption.
For the vast majority of users, the practical risk is low. But for the population of users who chose Signal precisely because they are concerned about the scenario of device seizure — that population includes journalists protecting sources, attorneys with privileged client communications, human rights workers in repressive environments, and anyone under active legal scrutiny — this case is a direct-action prompt to change these settings now.
Disappearing messages do not protect notification database copies
This point bears emphasis because disappearing messages are one of Signal’s most-used privacy features. A message configured to disappear after one hour will disappear from Signal’s message database after one hour. It will not remove the corresponding entry from iOS’s notification database unless notification content was never stored there to begin with.
If you rely on disappearing messages for privacy, the setting described in Fix 1 above is the only configuration that ensures disappearing messages actually disappear from all storage on the device.
The Case in Broader Context
This is not the first time iOS notification storage has been known to forensic practitioners as a data source. Digital forensics tools from companies like Cellebrite and MSAB have documented notification database extraction as a capability for years. What makes this case notable is that it surfaced in open court testimony in a high-profile federal trial — making the technique part of the public record in a way that hadn’t happened before.
The disclosure arrives at a moment of heightened attention to secure communications. In March 2026, it was reported that US government officials had inadvertently added a journalist to a Signal group chat discussing military operations. That incident raised different questions — about operational security practices, not about Signal’s technology — but it primed the public’s attention to Signal as a subject.
Signal acknowledged a request for comment on March 12, 2026 and then stopped responding to follow-up emails. The company has not issued a public statement on the Prairieland forensic finding as of publication. Apple also did not respond to requests for comment and has not issued a statement.
The absence of a public response from either company is notable. Signal’s own documentation has, for years, included guidance recommending that users disable notification previews for maximum privacy. The company appears to have chosen not to draw additional attention to a known limitation rather than issue a proactive disclosure.
Bottom Line
Signal’s encryption did not fail. Apple’s notification subsystem worked exactly as designed. The gap is between what users expect privacy-protecting defaults to be and what those defaults actually do.
The fix is free, takes 30 seconds, and requires no technical knowledge. Do it now if you haven’t:
Signal → Profile → Notifications → Show → No Name or Message.
FAQ
Did the FBI break Signal’s encryption?
No. Signal’s end-to-end encryption was not compromised. The FBI extracted message content from iOS’s internal push notification database — a system Apple controls, separate from Signal’s encrypted data store. Signal’s cryptography was not involved in the recovery.
Does this affect Android users?
The specific case involved an iPhone running iOS. Android handles push notifications differently. The general principle — that notification content may be stored by the OS outside an app’s encrypted environment — applies across platforms, but the specific database exploited here is an iOS-specific system. Android users should still disable notification content previews in Signal as a precaution, following the steps above.
Do disappearing messages in Signal protect against this?
No. Disappearing messages are deleted from Signal’s own database when the timer fires. They do not delete entries from iOS’s notification database. The messages recovered in this case had already disappeared from within Signal — but their previews remained in iOS’s notification storage.
Is this a problem with other messaging apps too?
Yes. Any messaging app that sends notification previews is subject to the same iOS behavior. WhatsApp, Telegram, iMessage, and others can all have message preview content cached in the iOS notification database. The fix is the same: disable notification previews either in the app’s settings or at the iOS system level.
Does this require a search warrant?
Standard law enforcement procedure requires a warrant to search a seized device. In this case, the extraction occurred as part of a federal criminal investigation with appropriate legal process. Physical access plus forensic tools — not a remote or warrantless exploit — is what made this recovery possible.
Should I stop using Signal?
No. Signal remains one of the most technically secure messaging applications available. The vulnerability disclosed here is a function of iOS default behavior, not of Signal’s cryptographic design. With the notification setting changed, Signal’s privacy properties function as intended. Switching to a less secure alternative would be a worse outcome.
What should I do right now?
Open Signal. Go to your profile settings. Tap Notifications. Set Show to “No Name or Message.” That’s it.
Primary source: 404 Media — Joseph Cox, April 9, 2026 · Signal Notification Settings Documentation
BitsFromBytes does not have an affiliate relationship with Signal or Apple. This article contains no sponsored content.
