Apple Addresses iOS Vulnerability That Retained Deleted Signal Messages
Apple has recently released critical updates for iOS and iPadOS to rectify a significant flaw in the Notification Services component, identified as CVE-2026-28950. This vulnerability allowed notifications marked for deletion to be unexpectedly retained on devices, posing potential privacy risks.
Understanding the Vulnerability
The flaw, described as a logging issue, was addressed through improved data redaction techniques. Apple’s advisory highlighted that notifications intended for deletion could remain stored on the device, leading to unintended data retention.
Affected Devices and Patch Details
The vulnerability impacted a range of Apple devices, including:
– iPhone 11 and later models
– iPad Pro 12.9-inch (3rd generation and later)
– iPad Pro 11-inch (1st generation and later)
– iPad Air (3rd generation and later)
– iPad (8th generation and later)
– iPad mini (5th generation and later)
Apple addressed the issue in the following software versions:
– iOS 26.4.2 and iPadOS 26.4.2
– iOS 18.7.8 and iPadOS 18.7.8
Implications of the Flaw
The urgency of this update was underscored by reports indicating that the U.S. Federal Bureau of Investigation (FBI) had exploited this flaw to recover copies of incoming Signal messages from a defendant’s iPhone. This occurred even after the Signal app had been deleted, as the messages were stored in the device’s push notification database.
The exact reasons for the logging of notification content remain unclear. However, the recent update suggests that this was an unintended bug. It is also uncertain when this issue was introduced and whether similar data extractions have occurred in the past using forensic tools.
Recommendations for Users
To enhance privacy, Signal users can adjust their notification settings by navigating to their profile, selecting ‘Notifications,’ and choosing either Name only or No name or message under the ‘Show’ option.
Signal has assured users that no additional action is required for this fix. Once the patch is installed, all inadvertently preserved notifications will be deleted, and future notifications will not be retained for deleted applications.
The Electronic Frontier Foundation (EFF) emphasized the importance of understanding the metadata that might be gleaned from notifications and reconsidering the necessity of app notifications.
Conclusion
Apple’s swift response to this vulnerability highlights the company’s commitment to user privacy and data security. Users are strongly encouraged to update their devices promptly to benefit from these critical fixes and safeguard their personal information.
