Signal chat evidence from Sharp’s device (Exhibit 158):
Messages were recovered from Sharp’s phone through Apple’s internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).
Yes this most likely comes from Biome/KnowledgeC data which can persist for 30 days. This is not unique to signal but a bunch of apps.
iMessage, Instagram, Facebook, Discord are good examples as they rely on “iOS-level” notification hiding which does nothing in reality.
Signal, Telegram, and WhatsApp have options to sanitize the notification in-app which is the “real protection” against this.
Only way to wipe notification remnants is to factory reset the phone and NOT restore from a iCloud Backup. Your iCloud backup can reintroduce old forensic artifacts. If you have iCloud+ then using iCloud backups would be silly. Most of your important stuff is saved as synced data
Photos (iCloud Photos)
Messages (if Messages in iCloud enabled)
Contacts, Notes, Calendars
iCloud Drive files
Keychain (passwords)
Extra Note: It is also important for everyone you communicate with to be just as educated as you or all of this is for nothing. The FBI used one persons phone (who deleted the app) to access the messages of other people. This serves as a reminder to not blindly use these secure platforms without understanding at least some digital forensics. People bash the cloud for being insecure yet are harvesting a gold mine of data on local devices that could be accessed depending on their security posture.
Could you explain the difference between apps relaying on “iOS-level” notification hiding and other apps sanitizing notifications in-app please?
Might misunderstand you - just not allowing notifications when you set up the app and Apple asks to - that’s not enough? Rather you should not allow notifications within the app (too), especially notification content (so instead of Name and Content changing it to no Name and Content).
I believe your understanding is correct - apps that can hide notifications from in app settings while still allowing notifications to come through, ie “Signal name only notifications” for example is the notification sanitation. At least thats how i understand it.
I presume even if you out an app like imessage behind the face ID lock which “hides” the notification, it’s still part of the OS level notification logging.
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database […]
@henry-fisher from Techlore also provided some useful contextualization on his socials:
When Signal messages arrive, iOS stores push notification previews locally on the device. Those previews stayed behind even after Signal was uninstalled.
Two things:
Only incoming messages were captured this way
Disappearing messages that had already vanished inside Signal were still recoverable from the notification cache
This is iOS behavior, not a Signal vulnerability. And likely impacts other apps.
This is a very high threat model concern, though the fix is straightforward: Signal → Settings → Notifications → Show → set to “No Name or Content”
You’ll still get a notification ping, but iOS just won’t cache anything useful.
Some interesting takeaways for iphone + signal users. I don’t have an iphone but curious if the recommended settings in privacy guides accounts for the notification logs.
I was just thinking about the same question. This source says KnowledgeC DB is 28-30 days.
I also found this link really interesting. While dated, it has a lot of detail about what was captured in KnowledgeC DB (at least at that point in time).
They likely do but it would be worth it to investigate Android as well since… Why not.
This is why I think it’s worth asking someone who knows like @fria or @jonah who use these. Is there any way to account for this leak?
I don’t imagine it’s something nefarious from Apple, likely a convenience thing for both users and developers, but hopefully something you can disable in some way.
Fair, but misleading marketing is part for thr course. Not that it’s ideal but that is just what one should expect in this age. But as you say, Apple is Privacy Possible versus the consumer expectation of Privacy by Default.
This particular leak was due to them not using their resources to pen test beyond what they might consoder reasonable assumptions. They are doing “good enough" for the public to remain convinced they are privacy by default. If that is actually true is not the company’s true concern.
The only way these days to get that are communities that dogfood their own product and truly care about the outcome like GrapheneOS.
Yes, if notifications are turned off then this specific issue would be a non-issue. So, muted groups/1-2-1 chats would also not be an issue.
My settings are now set to “No name or content” in Signal, and I’ve gone into iOS and changed to remove all previews. Apple AI is off in any case, too.
As I’m not sure if this is a solution (or at least a viable interim measure) to prevent the Apple notifications storing your actual message. I don’t know enough about how it’s stored to give any technical assurances. Perhaps others may know of this is viable?
Another solution would have been to be in lock down mode without biometrics enabled. That would have prevented physical exploitation of the iPhone in question.
