‘Disappearing’ Signal chats recovered

A disappearing message is supposed to work like self-erasing ink: the chat app shows it for a while, then removes it from the conversation history on both phones. Signal says that timer deletes the message from your devices after it expires, while also warning that a recipient can still save a copy another way. (signal.org) What changed this week is that federal investigators in a Texas case reportedly pulled back incoming Signal messages from an iPhone even after the app had been removed. Multiple reports say the messages came from Apple’s notification storage, not from breaking Signal’s end-to-end encryption. (9to5mac.com) End-to-end encryption is the part that keeps a message scrambled while it travels between phones, like a sealed envelope only sender and recipient can open. The reports on this case all say that protection held up, and the readable text showed up elsewhere because iOS had already displayed it as a notification preview. (theverge.com) An iPhone notification preview is the short line of text that can appear on the lock screen before you even open an app. Apple says users can choose to show those previews “Always,” and that setting is enough to put message content on the lock screen in plain text. (support.apple.com) Once that preview exists, the phone’s operating system can keep a record of the alert outside the app itself. Forensics researchers have documented iPhone databases such as KnowledgeC.db storing notification events, including app bundle identifiers and notification actions tied to received alerts. (dfir.pubpub.org) That detail explains why only incoming messages were reportedly recovered in this case. Incoming messages create push notifications on the recipient’s phone, while outgoing messages usually do not create the same kind of stored preview on that same device. (forbes.com) It also explains why deleting Signal did not necessarily delete the evidence investigators found. Reports on the case say the app was gone, but the notification artifact remained in Apple’s system storage long enough for forensic extraction. (techspot.com) Signal has long separated app privacy from phone-level behavior. Its support pages point users to operating system notification settings, and its disappearing-messages page says the feature is not designed for situations where the other person is the adversary. (signal.org) The practical fix is boring but specific: stop message text from appearing in notifications in the first place. Apple lets iPhone users change “Show Previews,” and privacy guides published after this case say turning previews off prevents readable chat text from being copied into the same notification trail. (support.apple.com) So the lesson is narrower than “Signal was broken” and broader than “one suspect got unlucky.” If a secure app hands plain text to the lock screen, the phone can leave a second copy behind, and that copy may last longer than the chat itself. (forbes.com)