A suspect thought he’d erased his tracks. Signal app gone. Messages set to vanish. Yet the FBI pulled texts straight from the iPhone’s guts.
Those messages lingered in Apple’s notification database. Push alerts that popped up with message previews—never fully deleted. Forensic tools cracked them open. The case? Vandalism at an ICE facility in Texas. Court testimony laid it bare, as first reported by 404 Media.
Apple calls it CVE-2026-28950. A logging flaw in Notification Services. ‘Notifications marked for deletion could be unexpectedly retained on the device,’ the company states in its security bulletin for iOS 26.4.2 and iPadOS 26.4.2. Fixed with better data redaction. No fanfare. Just a quiet patch on April 22, 2026.
Backported too. iOS 18.7.8 and iPadOS 18.7.8 cover older gear. Apple told 9to5Mac it spotted push notifications sticking around when they shouldn’t. The update not only plugs the hole—it wipes old cached notifications. Retroactive cleanup.
Signal didn’t break. iOS did. End-to-end encryption held. But previews in notifications? Those hit the system’s storage unencrypted. Swipe them away. Dismiss the app. Even delete Signal itself. Copies stayed buried for weeks, maybe a month. FBI agents testified they forensically extracted incoming message content from that internal memory, per BleepingComputer.
And the response? Swift. Signal’s official account posted on X: ‘We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.’ Once patched, ‘all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications.’
President Meredith Whittaker echoed that. Set notifications to ‘No Name or Content.’ Don’t let previews leak in the first place. Simple toggle in Signal’s settings. Wise for WhatsApp, Telegram—any app handling sensitive chats.
But here’s the rub. This wasn’t isolated. Law enforcement has leaned on push notifications before. Apple hands over token data to governments worldwide. Thousands of requests yearly. Now, content itself slipped through a glitch. Ars Technica notes users on Bluesky griping: ‘The notification content surviving app deletion is the wild part.’ Another: ‘By having message previews in notifications, you’re giving the OS access to that content without being sure how it will handle those messages.’
TechCrunch spells it out in its coverage: Notifications cached for up to a month. Forensic extraction child’s play for feds. Signal pushed Apple directly. Fix came fast.
ZDNet breaks it down: iOS 26.4.2 seals the flaw. Protects Signal texts. But ripples beyond. Any app using push previews vulnerable pre-patch. ZDNet warns—update now.
Privacy pros cheer the patch. Yet questions linger. How long exactly did notifications persist? Apple stays mum on exploitation details. No word on other caches. The Electronic Frontier Foundation, via Straight Arrow News, flags metadata risks in app notifications. No easy audit.
MacRumors pins the timeline: Apple learned via court leaks. Released eight updates April 22. MacRumors confirms—the defendant deleted Signal, enabled disappearing messages. iPhone held on anyway.
The Verge nods: Patch matches the bug. The Verge ties it straight to 404 Media’s scoop.
So what now? Update. iOS 26.4.2. iOS 18.7.8. Tweak notification previews to ‘Never.’ Signal remains gold standard—open protocol, audited servers. But iOS layers matter. One weak link unravels the chain.
Law enforcement wins early. Suspect convicted? Details fuzzy. But the fix levels the field. For everyone else—assumptions about deletion? Rethink them. Ghosts in the machine. Gone for good this time.
WebProNews is an iEntry Publication