The FBI recovered deleted Signal messages using iPhone notification data. The predictable response online has been a wave of “Signal is compromised” takes, which misses the point almost completely. The Signal Protocol itself is not broken. The cryptography is fine. What the case reveals is something more structurally interesting: end-to-end encryption is a precise guarantee about a specific channel, and the iOS notification infrastructure sits meaningfully outside that channel.
Understanding why requires a short walk through how push notifications actually work on iOS.
How Apple Push Notification Service Works
APNs is the mandatory relay for every push notification delivered to an iOS device. There is no alternative on a non-jailbroken iPhone. The architecture is straightforward: an app provider (Signal’s servers, in this case) sends a notification payload to Apple’s APNs servers over an authenticated HTTP/2 connection. APNs then forwards that payload to the target device. If the device is offline, Apple queues the payload, potentially for up to 30 days, and delivers it when the device reconnects.
The implication is direct: Apple receives and temporarily holds every notification payload for every iOS app. A subpoena directed at Apple can compel disclosure of those payloads, the delivery timestamps, and the device token mappings that tie a notification to an Apple ID. Apple confirmed this explicitly in the wake of the December 2023 disclosures from Senator Ron Wyden’s office, which revealed the DOJ had been secretly subpoenaing Apple and Google for push notification data, often under gag orders that prevented the companies from notifying affected users.
The 2023 case was largely about metadata: using APNs records to de-anonymize app users by tying anonymous device tokens to Apple IDs. The 2026 FBI/Signal case appears to be the first publicly confirmed instance where notification payload data yielded recoverable message content specifically.
What Signal Sends Through APNs
Signal is aware of the APNs architecture and has been for years. Its solution is to minimize what travels through Apple’s infrastructure. When Signal needs to notify your device of an incoming message, it sends a minimal APNs payload containing only an encrypted ciphertext blob, not plaintext sender names or message text. Apple receives something it cannot read.
The mechanism for converting that ciphertext blob into a useful notification is the Notification Service Extension (NSE), an iOS feature introduced in iOS 10. When a push arrives, iOS launches the app’s NSE as a separate sandboxed process. For Signal, the NSE accesses the app’s shared keychain, retrieves the relevant Signal Protocol keys, connects to Signal’s own servers, downloads and decrypts the actual message, then rewrites the notification payload to include the sender name and message preview. iOS then displays that rich notification.
This design means Apple’s servers never see plaintext content. The decryption happens on the device. From a pure Signal Protocol standpoint, the E2E guarantee is intact.
The Problem Is What Decryption Creates
Decryption on the device does not mean the plaintext disappears. The NSE writes decrypted content to a shared app group container so the notification can be displayed and so the main Signal app can later read it. iOS stores delivered notifications in its Notification Center database, a SQLite file that persists on the device until explicitly cleared. If Signal’s notification setting is configured to show “Name and Message” (the default for most users), that decrypted content sits in a local database in plaintext.
This is where “deleted” becomes a more complicated word. A user can delete a message from the Signal app. Signal can even propagate that deletion to other devices via its “Delete for Everyone” control message. Disappearing message timers can wipe conversations automatically. None of these mechanisms reach the iOS Notification Center database. The notification that displayed the message when it arrived is a separate artifact, written outside Signal’s data store, managed by iOS itself.
Law enforcement with physical access to the device and a forensic tool (Cellebrite, GrayKey) can extract this database. The Signal message is “deleted” from Signal’s perspective; the notification record was never Signal’s to delete.
Alternatively, if investigators obtained Apple APNs records under legal process, they would have the delivery logs and whatever payload Signal transmitted. Even if Signal sent only ciphertext, the delivery metadata establishes communication relationships, timing, and frequency, which can be independently useful.
The Legal Mechanism
The Stored Communications Act (18 U.S.C. § 2703) is the primary statutory framework for law enforcement access to electronic communications. Content stored 180 days or less requires a warrant based on probable cause. Non-content records (logs, metadata) can be obtained with a lower-standard court order or a subpoena. Whether APNs payloads constitute “content” or “metadata” under the SCA has not been definitively litigated.
National Security Letters, issued by the FBI without judicial approval under 18 U.S.C. § 2709, can compel subscriber information from communication service providers. The 2023 Wyden disclosures confirmed these instruments were being used for push notification data with gag orders attached, keeping the practice invisible to the public and to affected users.
Apple states it notifies users of law enforcement requests where legally permitted. Where a gag order is in place, it cannot.
What This Actually Means for Your Threat Model
The Signal Protocol is not the failure here. If your threat model includes law enforcement with legal access to Apple’s infrastructure and the ability to forensically examine a seized device, then E2E encryption on the message transport layer is insufficient on its own. It was never designed to cover that scenario.
The encryption protects messages in transit between Signal’s servers and your device. It does not protect the notification that iOS displays and stores after decryption. It does not protect the APNs metadata that Apple logs as a function of delivering that notification. These are separate systems with separate trust surfaces.
Android has a partial structural advantage here. Signal on Android can be configured to bypass Firebase Cloud Messaging entirely, using its own WebSocket connection over Signal’s servers for message delivery. Because Android allows background processes more freely than iOS, Signal can maintain a persistent connection without relying on Google’s notification infrastructure. On iOS, APNs is mandatory for reliable background delivery; Apple’s background execution restrictions make a persistent WebSocket impractical without special entitlements. The platform architecture forces iOS apps into the APNs funnel.
The Practical Mitigation
The most effective mitigation within Signal is straightforward: go to Settings, then Notifications, then “Show,” and select “No Name or Message.” With this setting, Signal’s NSE does not populate the notification with decrypted content. The notification displays only “Signal” with no sender name or message text. The iOS Notification Center database then contains no useful information. A forensic examiner who extracts it finds nothing readable. This setting also minimizes what passes through APNs.
Additional measures worth combining with this: enable Advanced Data Protection on your iPhone, which encrypts iCloud backups with device-local keys and prevents Apple from handing over backup content under legal process. Disable lock screen notifications for Signal, which keeps notification content off the screen where it could be shoulder-surfed or captured by a camera, and reduces the incentive for iOS to store it prominently. Use disappearing messages for sensitive conversations, not because it retroactively removes APNs records, but because it reduces the total duration during which notification artifacts from those messages remain active on the device.
None of this requires abandoning Signal. The underlying protocol is sound. The gaps are in how iOS notification infrastructure interacts with local plaintext, and most of them are configurable.
The Broader Lesson
The FBI case is a useful demonstration of something the security community has stated in various forms for years: end-to-end encryption is a specific technical guarantee about a specific channel, not a guarantee of end-to-end opacity. Every system has adjacent layers, and those layers have their own trust boundaries, data retention policies, and legal compellability.
Signal is not broken. APNs is working exactly as documented. The law is operating through mechanisms that have been disclosed. What the case illustrates is the gap between a user’s mental model of “encrypted messaging” and the actual architecture of encrypted messaging on a smartphone platform controlled by a company subject to U.S. law.
Closing that gap requires understanding both the cryptography and the operational context around it. The cryptography part is well-solved. The operational context is where the work remains.