Forensic Extraction Reveals Signal Messages Persist on iPhone After App Deletion, Undermining Assumed Privacy
What Happened — In a Texas FBI case, investigators recovered incoming Signal messages from a suspect’s iPhone even after the Signal app had been uninstalled. The data was sourced from Apple’s push‑notification database, not from a break in Signal’s encryption.
Why It Matters for TPRM —
- Endpoint data‑retention can expose “disappearing” communications, creating hidden compliance risks.
- Vendors that rely on client‑side encryption must consider OS‑level artifact leakage.
- Third‑party risk assessments that ignore mobile OS storage may underestimate data‑exfiltration exposure.
Who Is Affected — Mobile‑device users of encrypted messaging apps (Signal, WhatsApp, etc.), enterprises that enforce BYOD policies, and any organization that treats encrypted apps as a sole data‑protection control.
Recommended Actions — Review mobile device management (MDM) policies, enforce secure wipe of notification caches, and validate that endpoint security controls cover OS‑level storage.
Technical Notes — The recovery leveraged forensic tools to dump Apple’s push_notification.db, which retains incoming message payloads for lock‑screen previews. No CVE or protocol flaw was exploited; the issue stems from default iOS behavior. Source: Security Affairs