iPhone forensics expose Signal messages after app removal in U.S. case

An FBI case in Texas shows Signal messages can still be recovered from iPhones even after app uninstall, via system artifacts, challenging privacy assumptions.

The recent revelations about FBI forensic access to Signal messages on an iPhone have reignited a long-standing misunderstanding about mobile privacy: the belief that disappearing messages and encrypted apps guarantee that no trace of communication remains once a message is deleted or an app is removed. A court case in Texas, reported by 404 Media and later analyzed by multiple security researchers, shows why that assumption does not match how modern smartphones actually work.

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.” reads the post published by 404 Media. “The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places.”

Investigators were able to recover incoming messages from a suspect’s iPhone even after Signal had been uninstalled and even though the messages themselves were configured to disappear after a short time. The FBI did not break Signal’s encryption, nor did they exploit any vulnerability in its protocol. Instead, the data was retrieved from a completely different layer of the system: Apple’s own notification storage.

Court testimony reveals that only incoming iPhone messages were recovered, not outgoing ones. This is key because incoming messages are processed by Apple’s push notification system, temporarily stored for lock screen/notification previews, and may leave OS traces even if deleted from the app. Outgoing messages lack this notification trail, explaining the investigators’ limitation.

Users misunderstand what “deleting” or “disappearing” actually means, instant messaging apps like Signal encrypt in transit and delete from their interface per timer, but once delivered, messages decrypt on the recipient’s device for display. The OS may then cache notification content independently, outside Signal’s control.

“There is an important detail to keep in mind here: only incoming messages were recovered, not outgoing ones. This is entirely consistent with how push notifications work.” reads an analysis published by researcher Andrea Fortuna. “When someone sends you a message on Signal, the app server pushes a notification to Apple’s infrastructure, which then delivers it to your device. If the notification content was not stripped before delivery, the text lands in the operating system’s notification database. Outgoing messages, which originate directly from your device to the server, never go through this pathway and therefore leave no equivalent trace.”

Apple’s Push Notification service routes encrypted messages to devices via secure tokens. Payloads with visible alerts (if previews enabled) are decrypted locally but rendered by iOS, which caches notification data for history/reboot recovery. iOS databases persist fragments even after app deletion, enabling forensic recovery of past notifications despite end-to-end encryption.

Security researchers and forensic analysts have long known that iOS maintains structured databases for notifications, often associated with system frameworks that track alerts and user interactions. These databases can persist even after an app is removed. In practice, this means that uninstalling Signal does not necessarily erase all traces of messages that once appeared on the screen. Instead, fragments of those messages can remain embedded in system-level storage designed for convenience features like notification history.

Forensic tools extract data from full filesystem images, backups, or unlocked snapshots. They analyze OS-decrypted data like system databases, cached files, and notification content, not breaking encryption, but accessing what iOS already decrypted/stored for usability.

In the Texas case, the FBI likely recovered Signal message remnants not by breaking encryption, but through iOS forensic artifacts stored on the device. Fortuna explained that one plausible route is a logical acquisition after the phone had been unlocked at least once (AFU state), followed by analysis of an encrypted iTunes backup, which can contain rich system and app data, including notification databases. Tools such as idevicebackup2 can extract backups without modifying the device.

Another possibility is the use of commercial forensic suites like Cellebrite UFED or Magnet AXIOM, which combine backup extraction, AFC-based logical access, and sometimes exploit-based methods to retrieve deeper iOS artifacts. These tools are widely used by law enforcement to access data not available through standard backups.

A third scenario involves iCloud backups, which—when legally obtained—may also include similar system-level data. Across all methods, the key point is that iOS preserves many artifacts beyond what users see. As a result, “deleted” or “uninstalled” does not necessarily mean unrecoverable in forensic contexts.

In the Texas case, the FBI reportedly retrieved evidence from Apple’s internal notification storage rather than from Signal itself. Once an iPhone is unlocked after reboot (“after first unlock”), more encrypted system data becomes accessible through standard forensic methods, including notification databases. This reveals a gap between user assumptions and system behavior.

Many people believe disappearing messages or app deletion means complete erasure. In reality, mobile operating systems retain data such as notification history, caches, logs, and predictive text for usability and performance, and these artifacts can persist beyond app removal.

Signal’s encryption remains intact; the issue lies in the operating system, which can store message content independently.

Reducing risk is possible by disabling notification previews or using “content hidden” modes, preventing readable message text from being stored on the device.

The FBI case highlights that digital privacy is layered. Encryption protects data in transit, but not always data at rest. Messaging apps can delete messages from their own systems, but they cannot fully control how operating systems store notifications or system-level data.

Even secure apps like Signal or WhatsApp operate within ecosystems designed for usability and persistence, not perfect data erasure. As a result, messages may vanish from the screen but still leave traces on the device.

The key lesson is that disappearance in an app does not guarantee disappearance from the phone. Smartphones inevitably retain system-level data, creating layers of information that persist beyond the user’s view.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)