FBI forensically pulled deleted Sign messages from an iPhone’s push notification database in a terrorism trial, exposing a flaw iOS customers didn’t know existed.
The FBI pulled off one thing most Sign customers thought was inconceivable. Brokers forensically recovered deleted Sign messages from a defendant’s iPhone — not from the app itself, however from a hidden nook of iOS that quietly shops push notification knowledge, in keeping with a 404 Media report citing a number of witnesses current throughout FBI testimony.
The case concerned a bunch accused of vandalizing the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one particular person capturing a police officer within the neck. It additionally marked the primary prosecution below President Trump’s designation of “Antifa” as a terrorist group. Sign had already been deleted from the system. Didn’t matter.
What the FBI Discovered Sitting in Plain Sight
The push notification database on iPhones shops incoming message content material for as much as one month. Each messaging app that sends notifications is affected. As IntCyberDigest famous on X, “notification storage shops knowledge from all messaging apps — it’s a giant flaw in iOS.”
That flaw is what brokers exploited. Specialised forensic software program, run with bodily entry to the system, pulled the message content material instantly from that database. Sign does have a setting that blocks content material from showing in push notifications. The defendant apparently had not turned it on.
IntCyberDigest additionally confirmed on X that there’s a approach to disable this storage. Most customers do not know it exists.
Durov Factors Again to 2013
Pavel Durov didn’t keep quiet. The Telegram CEO responded on to the FBI story on X at @durov, writing that Telegram Secret Chats have by no means proven message content material in push notifications — and that this design alternative dates to 2013. He referred to as Secret Chats “probably the most safe usable approach to talk” and went additional, questioning Sign’s infrastructure.
Durov stated the US government-funded Sign carries “too many questionable dependencies on different US corporations” — naming AWS, Microsoft, and Intel SGX particularly. His publish framed Telegram’s method as a deliberate architectural determination, not an afterthought.
Durov has been vocal on surveillance and authorities attain earlier than. He left France earlier this 12 months below modified judicial supervision following his August 2024 arrest over allegations tied to Telegram’s content material moderation practices.
What This Means for Sign Customers
Sign’s end-to-end encryption itself was not damaged. The messages weren’t intercepted in transit. They have been sitting in a separate iOS system that handles notifications — a database exterior Sign’s management until customers manually disable notification previews.
The characteristic to dam message content material from push notifications exists in Sign’s settings. It simply isn’t on by default. And the broader context of Durov’s current strikes in opposition to authorities surveillance stress suggests this hole between design and default settings is precisely the type of factor that will get folks caught.
The Texas case is a primary. However the forensic technique it uncovered has been obtainable to legislation enforcement for a while. Customers who assumed deletion meant erasure simply came upon in any other case.