Signal's Encryption Was Never the Weak Link. Apple's Notification Servers Were.
Source: hackernews
A recent court filing disclosed that the FBI recovered metadata from deleted Signal messages not by breaking encryption, but by obtaining Apple Push Notification Service records via warrant. The 9to5Mac report is being covered as a story about Signal, but it’s more accurately a story about iOS’s notification infrastructure and the surveillance surface area that every app on the platform inherits by default.
Signal’s encryption was not compromised. The Signal Protocol remains sound. What the FBI exploited is something Signal cannot fix unilaterally: the delivery plumbing of the operating system itself.
How APNs Creates a Surveillance Record
Every iOS app that sends push notifications must route them through Apple’s Push Notification Service. The architecture works like this: when an app registers for push notifications, APNs issues a device token, which is a 32-byte opaque identifier tied to the combination of a specific device and a specific app. The app forwards this token to its own backend server. From that point forward, when the server needs to notify the device, it sends the notification payload to APNs along with the token, and APNs routes it to the device.
The critical detail is what Apple retains to make this routing work. Apple must maintain a mapping between device tokens and Apple IDs, because that is how APNs knows which device to deliver to. Apple’s own law enforcement guidelines confirm that they can produce subscriber information, device registration records, and push notification metadata in response to valid legal process. A search warrant, supported by probable cause, is sufficient to compel this data.
The APNs delivery log Apple maintains records: which Apple ID received a notification, from which provider (i.e., Signal’s backend), at what time, from what IP address. This log exists independently of anything the app does, independently of whether the user deletes messages afterward, and independently of Signal’s own minimal data retention policies.
What Signal Actually Sends Through APNs
Signal has engineered its notification architecture carefully. Unlike apps that include message previews or sender names in notification payloads, Signal sends what amounts to a silent wake-up ping. The payload is roughly:
{"aps": {"content-available": 1}}This instructs iOS to wake the Signal app in the background so it can connect to Signal’s servers and fetch new messages directly. No message content, no sender identity, nothing but the instruction to wake up. The actual message exchange happens over Signal’s own encrypted channel, which Signal controls and which carries no readable content even to Signal’s own servers, given that the Signal Protocol provides end-to-end encryption.
Signal’s approach to its own data retention is equally minimal. In 2021, Signal received a grand jury subpoena from the Eastern District of Virginia. Their response demonstrated they had almost nothing to provide: the Unix timestamp of when the account was created and the Unix timestamp of the last connection to Signal’s servers. That response became a reference case for what genuine minimal-data architecture looks like in practice.
But Signal’s servers and Apple’s APNs infrastructure are separate systems. Signal cannot control what APNs records about notification delivery events. The device token it sends to Apple’s servers to initiate push delivery is sufficient for Apple to link the notification event to an Apple ID, which is linked to a real identity.
The Deleted Message Problem
The specific angle in the FBI case, recovering metadata from deleted messages, is worth unpacking. Deleting a Signal message on your device removes it from local storage. If the conversation partner also deletes or if Signal’s disappearing messages are enabled, the content is gone from all reachable storage. Signal’s servers don’t hold message content to begin with.
But the deletion happens after delivery. The APNs delivery record is created the moment Apple routes the silent push to the device. That record exists in Apple’s infrastructure from that point forward. A user can delete every message, wipe their phone, and reinstall Signal; the APNs log entry persists on Apple’s servers for whatever retention window Apple applies, which court filings suggest is at minimum 30 days and potentially longer for some metadata fields.
This is the mechanism. The FBI’s warrant to Apple for APNs records does not recover message content. It recovers the fact that communication events occurred, with approximate timing, linked to a specific Apple ID and thus a real identity. Combined with other evidence in an investigation, that communication pattern can be significant.
Wyden’s Disclosure and the Gagged Practice
This technique was not publicly known until December 2023, when Senator Ron Wyden sent a letter to the Department of Justice disclosing that both Apple and Google had been receiving legal demands for push notification records from law enforcement, including foreign governments. Apple and Google had been gagged from even confirming the practice existed. After Wyden’s letter, the DOJ agreed both companies could acknowledge it publicly.
The implications of the foreign government dimension are worth noting separately. Push notification records flow through US-based infrastructure for most of the world’s iOS and Android users. Foreign governments can request this data through Mutual Legal Assistance Treaties, and the records available are structurally identical regardless of which government is asking. An authoritarian state can use the same APNs warrant technique to identify which of its citizens are communicating via encrypted messaging apps, when they communicated, and with what frequency.
The technique is also not limited to Signal. Any app that uses APNs on iOS leaves the same kind of delivery record with Apple. The privacy properties of the app itself are irrelevant to this particular exposure.
The Legal Framework Enabling This
The operative legal theory is the third-party doctrine, established in Smith v. Maryland (1979) and United States v. Miller (1976). Information voluntarily shared with a third party is held to carry no reasonable expectation of privacy under the Fourth Amendment. APNs metadata is, under this doctrine, information shared with Apple as a consequence of using push notifications, and therefore subject to compelled disclosure with appropriate legal process.
The Supreme Court carved out an exception to this doctrine in Carpenter v. United States (2018), finding that comprehensive cell-site location information deserved Fourth Amendment protection despite being held by a third party. The reasoning was that the scale and comprehensiveness of the data created a qualitatively different surveillance capacity than the third-party doctrine was originally designed to govern. Legal scholars have argued that APNs records, which can reveal app usage patterns, communication timing, and associational networks over extended periods, may warrant similar Carpenter-style protection. No court has yet definitively ruled on that question.
In the Signal cases, the FBI used search warrants supported by probable cause rather than the lower standards the third-party doctrine might permit. This likely reflects DOJ caution in the post-Carpenter environment, seeking to insulate prosecutions from suppression motions by using the highest standard of legal process.
What This Means for Threat Modeling
For most people, this changes nothing about how they should use Signal. Signal remains the most privacy-protective widely-deployed messaging application available. Its encryption is sound, its metadata retention is minimal, and its engineering choices around notification payloads represent the best available approach within the constraints Apple imposes.
The exposure documented in this case is a function of using iOS, not of using Signal. Any iOS messaging app that delivers push notifications creates APNs records at Apple. The difference is that Signal’s records are as sparse as possible given the platform constraints, while apps that include message previews or sender names in notification payloads expose considerably more.
For high-risk threat models, specifically journalists, activists, or dissidents operating in environments where government surveillance is a primary concern, the iOS push notification architecture is a genuine consideration. The relevant mitigation is not switching apps but understanding that using any push-enabled app on iOS creates delivery records at Apple that can be compelled via legal process. Disabling push notifications for Signal and relying on manual refresh eliminates the APNs footprint but also significantly degrades the user experience and reliability of message delivery.
The broader point is that encryption protects content in transit and at rest. It does not protect the metadata of delivery infrastructure. APNs is delivery infrastructure. Apple’s ability to route notifications to the right device requires Apple to know which device is which, and that knowledge is exactly what law enforcement obtained here. Signal knew this. They engineered around it as much as iOS allows. The gap that remains is not a Signal design flaw; it is a structural property of how iOS notifications work.