You delete a Signal message. You delete the Signal app. You assume the conversation is gone. In April 2026, the FBI proved otherwise — using a surveillance vector nobody was talking about. The Bug: CVE-2026-28950 On April 9, 2026, 404 Media reported that FBI forensic tools had extracted the contents of deleted Signal messages from a defendant's iPhone. The messages were not recovered from Signal. They were recovered from the iPhone's push notification database — a system-level log that iOS maintained even after the Signal app was uninstalled. When you receive a message, iOS generates a push notification. That notification content was being written to an internal database and retained. If you had notification previews enabled, the database contained the full text of your messages. Deleting the app did not delete the database. Apple assigned this CVE-2026-28950 and patched it in iOS 26.4.2 and iOS 18.7.8, released April 22, 2026. With the update, notifications marked for deletion should no longer be stored. But the damage window is years wide. How Push Notification Surveillance Works Push notifications are not a direct pipe from an app to your screen. Every notification passes through Apple's servers (iOS) or Google's servers (Android) before it reaches your device. This means Apple and Google have visibility into: Which app sent the notification When the notification was sent The account ID associated with the receiving device In some cases, the unencrypted content of the notification itself According to a letter Senator Ron Wyden sent to the Department of Justice, both Apple and Google may have access to unencrypted notification content. The companies collect at minimum the metadata — which apps you use and when. Apple and Google both now require a judge's order before handing push notification data to law enforcement, a policy change made after Wyden's inquiry. But Apple still shares data on hundreds of users under those orders, according to its own transparency reports. The Two-Point Surveillance Problem Notifications can betray your privacy at two distinct points. In Transit: When a notification is sent from an app to Apple or Google's servers, then pushed to your device, the content and metadata may be visible to the platform company. Signal handles this correctly — its push notifications are simply a ping that tells the app to wake up and check for messages. The content never touches Apple or Google's servers. Signal president Meredith Whittaker confirmed this publicly: "Push notifications for Signal NEVER contain sensitive unencrypted data and do not reveal the contents of any Signal messages or calls — not to Apple, not to Google, not to anyone but you and the people you're talking to." Most apps do not implement this. For the vast majority of applications, you have no way to know whether notification content is encrypted in transit or whether the platform companies can read it. On Device: Once notifications land on your phone, the OS may cache them in ways you cannot control. If notification previews are enabled, the content is visible on your lock screen without unlocking the device. And as the FBI case demonstrated, the notification database persists even after you delete the app that generated the messages. We still do not know the full extent of notification database retention. Key questions remain unanswered: How long are notification records stored on the device? Are notification databases backed up to iCloud or Google Drive? If so, are those backups end-to-end encrypted? Does deleting an app fully purge its notification data? What Signal and WhatsApp Offer Some apps give you control over notification content. Others don't. Signal provides three levels of notification detail: Name, Content, and Actions — Shows the full message, sender, and reply options Name only — Shows only who messaged you No name or content — Shows only that you have a new Signal message To change this on iPhone: Profile Picture > Settings > Notifications > Show. On Android: Profile Picture > Notifications > Show. WhatsApp offers a single option on iPhone: disable Show Preview in Notifications settings. Android does not have this toggle at the app level. For any other messaging app, you will need to search for "notification privacy" plus the app name to determine what data is exposed. Most apps do not document this. Device-Wide Protections Even if individual apps handle notifications correctly, the operating system may not. On iPhone: Go to Settings > Notifications > Show Previews. Change from "Always" to "When Unlocked" or "Never." "Never" means notifications won't display any content — just that you received a notification from an app. On Android: Settings > Notifications > Notifications on lock screen. Disable "Show sensitive content." Note that Android relies on app developers to mark content as sensitive, so this setting's effectiveness varies by app. AI Notification Summaries: Both iOS and Android offer AI-powered notification summaries. Apple Intelligence runs on-device. WhatsApp's summary feature sends data off-device. If you use secure messaging, review whether AI summaries are active and where the processing occurs. The EFF's Recommendations The EFF recommends three actions: Set secure messaging notifications to minimum detail. For Signal, use "No name or content." For WhatsApp, disable previews. Audit which apps can send notifications at all. Every app with notification permission is a potential surveillance vector. Disable notifications for any app that doesn't need them. Update your OS immediately. iOS 26.4.2 and 18.7.8 patch the notification database bug. The fix only applies going forward — historical notification data already on your device is not retroactively purged. Apple and Google need to go further. The EFF has called for both companies to ensure notification content is not transmitted in plain text, to prevent notification databases from being included in cloud backups, and to fully purge notification data when an app is deleted. Until these changes are implemented, push notifications remain a surveillance tap that most users do not know exists. --- Audit your app permissions: Use our permission audit tool