How the FBI Recovered Deleted Signal Messages From a Defendant’s IPhone
You may have heard of Signal , the encrypted chat app the US government infamously used to discuss military plans last year . (The horror!) But while it’s not an alternative to a secure indoor facility (SCIF), it ‘s a good option for more secure communication. Signal uses end-to-end encryption (E2EE), which, simply put, means messages are “encrypted” during transmission and can only be “decrypted” by the sender and receiver(s). If you’re in a Signal chat, you’ll be able to read incoming messages just like you would in any other chat app—if you’re an attacker and intercept that message, you’ll only find a bunch of incomprehensible snippets of code.
End-to-end encryption (E2EE) makes it difficult for anyone not using your unlocked device (or the unlocked Signal app) to read your Signal messages—it’s difficult, but not impossible. This is partly why the chat app isn’t suitable for government employees (though no third-party chat app is). But it’s also a good reminder that no matter who you are, your secure chats aren’t immune to external threats. If someone wants to hack your chats, they can find a way.
The FBI recently recovered deleted Signal messages from an iPhone.
As an example, as 404 Media reports , the FBI recently retrieved incoming Signal messages from a defendant’s iPhone. The user even deleted the app from their device, which only created an additional obstacle for investigators. One might assume that deleting the app itself would protect the encrypted messages. However, as it turns out, the FBI didn’t need access to the Signal app at all. While they were unable to retrieve the defendant’s outgoing messages, they were able to retrieve incoming messages from the iPhone’s push notification database. (I’ve been covering the iPhone for nearly a decade and didn’t know iOS even had a push notification database—though it probably makes sense, given that alerts sit in the Notification Center until you manually open or dismiss them.)
This came to light in a case involving a group of individuals allegedly vandalizing and setting off fireworks at the ICE Prairieland Detention Center. One of the officers involved in the incident was shot in the neck. According to a supporter of the defendants who took notes during the trial, the court found that any app with permission to display previews and notifications on the lock screen stores these previews in the user’s iPhone’s internal memory. Thus, the FBI was able to obtain messages received by the defendant, even though these messages were configured to disappear within the app and the app itself had been deleted from the device.
Again, this isn’t a vulnerability exclusive to Signal: any app that displays notifications on the lock screen is vulnerable. The FBI likely also reviewed numerous other notifications from any apps running on the defendant’s iPhone. Consider the notifications you might have in your Notification Center right now: text messages, reminders, news alerts, purchases, private messages, and so on. All of these could be prey for anyone with surveillance technology to access your iPhone—locked or not.
How to prevent this in the future
If you use Signal, now that you’re aware of this vulnerability, you have an advantage. Signal has a setting that prevents message content from being displayed in notifications. This means that even if someone gains access to your notifications, they’ll only see that you’ve received a Signal message—not who sent it or what it contains.
To enable this feature, open Signal, tap your profile in the upper-left corner, then tap “Settings.” Under “Notification Content, ” select “No Name or Content” to block all notification data. You can compromise and select “Name Only” if you want to know who a message is from before opening it—just remember that someone who’s been trying to reach you might also see that you received a message from that person if they view your iPhone’s notifications.