iOS Notification Leak Fixed
- Apple released iOS 26.4.2 and iPadOS 26.4.2 as security updates this week. - The patch fixes a notification-service flaw that reportedly allowed extraction of Signal message previews even after app deletion. - The bug highlights hidden OS-level persistence for notifications and the gap between visible app state and stored data. (macrumors.com)
Apple pushed iOS 26.4.2 and iPadOS 26.4.2 on April 22 to stop iPhones and iPads from keeping some deleted notifications on the device. (support.apple.com) Apple’s security bulletin says the flaw sat in Notification Services, affected iPhone 11 and later plus recent iPads, and let “notifications marked for deletion” stay behind because of a logging issue. Apple assigned it CVE-2026-28950 and said it fixed the bug with improved data redaction. (support.apple.com) Notifications are small copies of app activity that iOS stores so it can show alerts on the Lock Screen and in Notification Center. In the case reported this month, that system-level storage kept Signal message previews even after the messages disappeared inside Signal and even after the app was removed from the phone. (404media.co) 404 Media reported on April 9 that Federal Bureau of Investigation testimony in a Texas criminal case described agents extracting incoming Signal messages from an iPhone’s push-notification database. Forbes, citing digital forensics analysis, said the recovered material was incoming message content, not Signal’s encrypted message store and not outgoing messages. (404media.co) (forbes.com) That distinction matters because Signal’s end-to-end encryption was not the part that failed in this episode. The messages were exposed in the operating system’s alert history, a separate layer Apple controls. (forbes.com) (aboutsignal.com) Apple also released iOS 18.7.8 and iPadOS 18.7.8 the same day for older devices, according to its security releases page and multiple follow-up reports. That means the fix was not limited to the newest operating system branch. (support.apple.com) (bleepingcomputer.com) Signal had already changed its app to reduce what appears in iPhone notifications, and Signal President Meredith Whittaker said on April 15 that deleted-message notifications should not remain in any operating-system database. After Apple shipped the patch, Signal said the update addresses the iOS-side issue exposed by the reporting. (cybernews.com) (aboutsignal.com) The practical lesson is narrower than “Signal was broken” and broader than “one app had a bug.” On iPhones, deleting an app or clearing a chat did not always erase the notification traces that iOS had already saved, and Apple’s April 22 patch was aimed at closing that gap. (support.apple.com) (theverge.com)
