This was a bug that left it cached on the device. Apple and Google have put themselves in the middle of most notifications, causing the contents to pass through their servers, which means that they are subject to all the standard warrantless wiretapping directly from governments, as well as third-party attacks on the infrastructure in place to support that monitoring.

If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.

The "bug" discussed in the article is only part of the problem.

The main problem, which is notifications text is stored on a DB in the phone outside of signal, is not addressed. To avoid that you have to change your settings.

In this case, the defendant had deleted the signal app completely, and that likely internally marks those app's notifications for deletion from the DB, so the bug fixed here is that they were not removing notifications from the local database when the app that generated them was removed, now they do.

  Impact: Notifications marked for deletion could be unexpectedly retained on the device
  Description: A logging issue was addressed with improved data redaction.
  CVE-2026-28950

They classify this as "loggging issue" so it sounds like notifications were not actually in the database itself but ended up in some log.

Oh, I was originally confused about this because I had thought the push notifications were end-to-end encrypted, so they couldn't be cached in readable form by the push notification service, and only decrypted by the app on device upon receiving the notification. But it seems like after the notification was decrypted by the app and shown to the user using OS APIs, the notification text was was then stored by the OS in some kind of notification history DB locally on the device?

Note that Signal offers the option to use generic “You’ve received messages” notifications - it’s good practice in general.

Nice. Will Apple now also fix the "bug" where you delete a message on your phone, and 3 months later it downloads on your iPad or Watch, and you can never be sure your messages are really gone?

Before anyone asks: No , I didnt turn on any setting to save all my messages to some external server and download them whenever, even if I delete them locally

This is a problem with all kinds of apps. There is no discipline in the handling of user data. Take the notes app. When you delete text it not gone you can still see it in the sqlite database they use for storage. I'm sure this is so they can support sync be recording your changes as CRDTs or something.

And if the app isn't leaky, the OS will probsbly screw you like in this case. The concept of being able to clean up your laptop is just not supported, you have to wipe the whole device which is ridiculous.

Signal deletes the message. Apple keeps the notification that shows the message. For a month. On-device. This is exactly the kind of bug that isn't a bug it's what happens when privacy is owned by the app but the OS isn't aligned.

So for third party apps this seems like if you do e2e then along with this bug fix your texts are safe. E2E apps could be independently verified by a third party let’s say.

But what about iMessage. The source code will never be available for neither the servers nor the app.

I’m frustrated that Signal isn’t notifying users about this.

I disabled notifications and instead Signal reminded me to re-enable them…

In privacy circles, this was always known, as Google/Apple often sends notification content to their servers (which means that it bypass the App realm).

Some people talking about it (different but in the same scope of issue): https://blog.davidlibeau.fr/push-notifications-are-a-privacy...

Thankfully Apple backported the fix the iOS 18 as well.

Looking at the detritus in the filesystem on Jailbroken iOS devices you will observe that iOS decides to vacuum, purge, and let linger all sorts of databases and logs until something triggers a cleanup which is usually time or an iCloud sign-out induced erase and subsequent sync. People have been complaining for years about excessive phantom “system storage” and “other data.” Interestingly the photos thumbs database can grow seemingly indefinitely in size for some weeks or more if you’re regularly deleting all of your photos and saving to photos from apps or taking photos. I suspect that there a lot of behavioral data records that is left on most devices until a convenient period of inactivity passes and the possible user behavior analysis and reporting functions of iOS allow whatever cleanup happens after processing on device. It would be useful to capture iCloud backup restores from physical devices to corellium virtual devices with some creative matching of your existing idevices identifiers. Could see what triggers a cleanup during backups, local or otherwise, get a good look at what is being restored from iCloud. I also think it’s possible that iCloud can sync a database, say safari bookmarks, pushing it to the device inducing a state where the device bookmarks are moved to inaccessible tables and left there, unavailable to the end user, but not out of sync with the current active session state. Of course this is just my musing based on observations of weekly ffs extractions of a few devices over the last 5 years.

Who cares, Apple as any other US company must cooperate with "cops" or 3-letter agencies.

Not publicly, of course.

Ask yourself, do you really own your device? Can you access kernel? Can you flash your own firmware on your device? No?

Then you DON'T own it.

That was definitely necessary, becuase the major reason people buy iphones is privacy and security

I would never rely on a closed system for secure messaging to many unknowns.

This makes me wonder: Cellebrite makes tools for law enforcement to break into iPhones, likely exploiting weaknesses/vulnerabilities. Does Apple buy Cellebrite’s tools and reverse engineer them? Or would they not have a way of acquiring them legally?

“Bug”. More like a “bugdoor”

have you ever thought maybe Apple is creating a backdoor like this to make secret deals with gov orgs.

trusting a valley company is the last thing you could do since there is a ton of money to be made from selling secrets

Makes you think what’s the biggest concerns wrt Mythos — is it finding or fixing the vulnerabilities that’s scarier :))

every time something like this surfaces I'm reminded how many privacy guarantees end at the app boundary. you can do all the e2e crypto you want, the OS layer is going to do whatever it does with your strings once they hit a render path. probably an unsolvable category of bug as long as notifications need to show readable text somewhere.

It's not new that push notifications should be presumed to be insecure, with their content passing through - and probably persisted - outside the app sandbox and anything in control of in-app encryption.

Apple should have fixed this long ago (not that you can trust a closed system), but Signal should also have strong guardrails & warnings around allowing message content in push notifications.

Cat and Mouse, good. This is the adversarial setup that results in a better outcome for all.

I wonder if the same flaw exists on Android/GrapheneOS.

Anthropic Mythos at work! iOS is so good and well built that only 1 bug was found and those patch. "It's either all a joke ... or none of it is." -Bruce Banner

Finally!

It is completely unclear from this article whether this means Apple does no longer cache dismissed notifications somewhere.

I like apple, but would never trust them with privacy. NYPD uses ISMI catchers and other tech. This is a nothing burger or nothing donut.

I think people are too focused on the device part of it.

Whatever Apple did to block access to the cache does not negate the fact that these notification messages are still being sent in plaintext through Apple and Google’s servers.

It’s hard to imagine that Apple/Google couldn’t just be compelled to hand this information over if ordered by a court and wouldn’t need your phone at all.

And this loophole possibly only hinges on the fact that most law enforcement maybe never realized this was something they could ask for.

Or perhaps this is happening and the public just doesn’t know it yet.

bug or backdoor?

Good. Now, are they fixing any of their other gazillion bugs?

[dead]

[dead]

[flagged]

This has nothing to do with Apple/Firebase notification service.

It has to do with the fact that any notification displayed on your device goes via a separate system service which was caching them.

It is amusing to see how often people confuse device notifications with Apple notification service.

> This was because notifications that displayed the messages’ content were also cached on the device for up to a month.

Why can't we have notification history just like on Android then. It's very useful when you dismiss a notification you didn't want to, or you look for some old stuff.

Heads up. They have released an iOS 18 update (good!) but, and please bear the caps:

UPDATING IOS WILL ENABLE AUTOMATIC UPDATES TO IOS 26.

(Bad!) This is a new shady tactic they're using trying to get iOS 18 users to install iOS 26.