Apple fixes bug that cops used to extract deleted chat messages from iPhones

· hn top · Source ↗

TLDR

  • Apple patched an iOS bug where Signal notification text persisted in a local OS notification database after the app was deleted.

Key Takeaways

  • The fix is backported to iOS 18, not just the latest release.
  • The root cause: iOS stores decrypted notification content in a system-level database outside the app sandbox.
  • Deleting Signal marked its notifications for deletion, but the bug prevented actual removal from the OS database.
  • The deeper structural issue remains: Apple and Google relay push notification content through their servers by design, creating a persistent interception surface.
  • Mitigation available now: set Signal notifications to generic mode (“You’ve received a message”) to prevent plaintext content from entering the OS notification pipeline.

Hacker News Comment Review

  • Commenters distinguish two separate problems: the fixed bug (notifications not purged on app deletion) and the unfixed architectural issue (notification text stored in an OS DB outside app control).
  • Consensus: the article undersells the systemic risk. Push notification infrastructure at Apple/Google is subject to both government legal process and third-party infrastructure attacks.
  • Practical frustration: Signal actively prompts users to re-enable full notifications, working against privacy-preserving defaults.
  • The notification privacy problem has been documented in privacy research circles for years; this case just made it forensically concrete.

Notable Comments

  • @6thbit: Clearly distinguishes the patched bug from the unpatched root cause: notification text lives in an OS DB that Signal cannot control.
  • @dlcarrier: Notes Apple/Google’s central notification relay creates a warrantless wiretapping surface and advises generic notification settings as the only reliable mitigation.
  • @650REDHAIR: “Signal reminded me to re-enable them” – Signal’s own UX nudges users away from the safer configuration.
  • @modeless: Clarifies the trust boundary failure: Signal encrypts push payloads in transit, but the OS decrypts and then persists the plaintext locally without the app’s involvement.

Original | Discuss on HN