Apple patches Signal notification bug
- Apple released iOS 26.4.2 to fix a bug that could leave deleted Signal notifications accessible on iPhones. (theverge.com) - Reports say deleted Signal messages could remain in an iPhone notification database, potentially recoverable by attackers or investigators. (cybersecuritynews.com) - The flaw highlights that endpoint artefacts can undermine app encryption, complicating e‑discovery and internal probes. (theverge.com)
Apple released iOS 26.4.2 on April 22 to fix a bug that could keep supposedly deleted notifications stored on iPhones. (support.apple.com) Apple’s security bulletin says the flaw sat in Notification Services and meant “notifications marked for deletion could be unexpectedly retained on the device.” Apple assigned it CVE-2026-28950 and said it fixed the issue with “improved data redaction.” (support.apple.com) Apple also shipped the same fix to older devices in iOS 18.7.8 and iPadOS 18.7.8 on April 22. The affected hardware list includes iPhone XR, iPhone XS, iPhone 11 and later, plus several recent iPad models. (support.apple.com) A phone notification is the short preview that appears on the lock screen or in the notification center when a message arrives. In this case, reporting said copies of incoming Signal message previews could remain in Apple’s notification database even after the app deleted the messages or the user removed the app. (404media.co) That meant investigators did not need to break Signal’s encryption to read some message content. They could recover the text from the iPhone itself, where the operating system had kept the notification record. (techcrunch.com) The issue surfaced publicly after 404 Media reported on April 9 that Federal Bureau of Investigation agents extracted Signal messages from an iPhone in a federal case tied to an attack on the Prairieland Detention Facility in Alvarado, Texas. The report said the messages came from the phone’s push-notification database, not from Signal’s servers. (404media.co) Signal President Meredith Whittaker said on April 15 that “notifications for deleted messages shouldn’t remain in any OS notification database.” Apple did not publicly describe the Signal case in its advisory, but multiple outlets tied the patch to the same notification-retention behavior reported earlier this month. (cybernews.com, theverge.com) The bug did not mean Signal’s encryption failed, and reporting on the case said only incoming messages were recovered through notifications. It showed that a secure app can still leak readable fragments when the phone’s own software keeps a copy outside the app. (forbes.com) For iPhone users, the immediate step is simple: install iOS 26.4.2 or iOS 18.7.8. Apple’s patch closes the gap that let deleted notification data linger after it was supposed to be gone. (support.apple.com, support.apple.com)
