Let me get this straight...
-
@tdpsk @Mer__edith
The problem is that such content is not included in unencrypted backups. So we mortals can't even confirm this, as we don't have access to full-device exploit tools such as Cellebrite.@wdormann @Mer__edith from what I understand it was forensically recounstructed from storage, the database itself is non-persistent (on the software layer). So something Apple could solve in a future update, e.g. by regularly properly wiping that part of storage.
-
@wdormann @Mer__edith from what I understand it was forensically recounstructed from storage, the database itself is non-persistent (on the software layer). So something Apple could solve in a future update, e.g. by regularly properly wiping that part of storage.
@tdpsk @Mer__edith
Right, why is this data persistent at all? -
@Mer__edith
On the macOS side of things, we have confirmation that Signal notification contents get stored, even for disappearing messagesiOS sadly offers less visibility into what's going on. But the FBI probably appreciates that it's happening there too.
The default notification setting for Signal (on both iOS and macOS) ensures that potentially sensitive information leaks out of the Signal app. This is unfortunate.
@Mer__edith
From elsewhere on the interwebs: -
@Mer__edith
From elsewhere on the interwebs:@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
-
@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
-
@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
@wdormann that's exactly what I was worried about. It suggests that whatever the/an app sends to the notification service gets stored, since OS notification settings would most likely apply only after and not before storage. That's .. creepy but not too surprising.
Thanks for raising awareness!
-
@wdormann that's exactly what I was worried about. It suggests that whatever the/an app sends to the notification service gets stored, since OS notification settings would most likely apply only after and not before storage. That's .. creepy but not too surprising.
Thanks for raising awareness!
@AwkwardTuring
It's easy to fix. It's just somewhat surprising to me that Signal ships with obviously insecure defaults. -
@AwkwardTuring
It's easy to fix. It's just somewhat surprising to me that Signal ships with obviously insecure defaults.@wdormann it is. I'm only worried about all the apps (or users for that matter) that rely on OS' built-in notification settings instead of more granular in-app-settings.
Again: not too surprising but leaves a sour taste nonetheless.
-
@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
@wdormann @Mer__edith
My expectation as a user would be that the os stores notifications until they're read, unless I make a change otherwise. It seems like they're stored 'forever'. -
@wdormann @Mer__edith
My expectation as a user would be that the os stores notifications until they're read, unless I make a change otherwise. It seems like they're stored 'forever'.@FritzAdalis @Mer__edith
Right. And especially given the black box nature of the iOS platform, it would be nice for some official statements from the Apple and/or Signal side of things.Nobody wants to be surprised by things like this.
-
@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
@Mer__edith
Note the precise use of deleted messages here. When you uninstall the Signal app, that doesn't flag it's messages as "deleted" so that Apple can remove them from the notifications database. (If Apple would ever comply with Signal's demands. iOS (and macOS) don't have such a feature)I don't think that this behavior maps up with users' expectations of the software. And for Signal to ship knowingly with a default setting that violates user expectations for a secure messaging app, well, I don't like it.
Don't get me wrong, I love the Signal product, and I've donated financially to it multiple times. But this ain't right.
-
@Mer__edith
From a worse place on the interwebs.
Implying:
Signal message content being present in Apple Notifications database even after Signal itself is deleted is apparently expected and fine.Signal message content being present for self-deleting messages is not (in their minds).
@wdormann As I understand they "knowing why" (as of now) doesn't imply this was *expected* behavior before.
I'd compare the persistent (not self-deleting) messages dilemma to secure deletion: below the next architectural boundary you can't really decide what's happening to your data ("were the bits of that file really deleted from the disk?"), but in special cases you take extra steps to prevent leaks ("let's overwrite a bunch of times, hopefully it helps").
@Mer__edith -
@wdormann As I understand they "knowing why" (as of now) doesn't imply this was *expected* behavior before.
I'd compare the persistent (not self-deleting) messages dilemma to secure deletion: below the next architectural boundary you can't really decide what's happening to your data ("were the bits of that file really deleted from the disk?"), but in special cases you take extra steps to prevent leaks ("let's overwrite a bunch of times, hopefully it helps").
@Mer__edithA path that would make me feel more comfortable would be:
We've changed the default setting in Signal to not put message bodies in the (external-to-Signal) notifications database. At least until the dust has settled.
But no, the battle that is being chosen is:
We are pleading with Apple to have self-deleting messages not be permanently retained in the notifications database.I get that security vs. usability are usually at odds with each other. But I suppose I'd like a bit more transparency here.
-
A path that would make me feel more comfortable would be:
We've changed the default setting in Signal to not put message bodies in the (external-to-Signal) notifications database. At least until the dust has settled.
But no, the battle that is being chosen is:
We are pleading with Apple to have self-deleting messages not be permanently retained in the notifications database.I get that security vs. usability are usually at odds with each other. But I suppose I'd like a bit more transparency here.
@wdormann I'd agree with that, but I don't know what level of control apps have on mobile.
@Mer__edith -
@wdormann I'd agree with that, but I don't know what level of control apps have on mobile.
@Mer__edith@buherator @Mer__edith
Signal has 100% control of this.
The screenshot is from the Signal iOS app settings.Signal can't play the "We can't do anything about this" card. It's their default setting that is less secure than it should be.
-
@Mer__edith
Note the precise use of deleted messages here. When you uninstall the Signal app, that doesn't flag it's messages as "deleted" so that Apple can remove them from the notifications database. (If Apple would ever comply with Signal's demands. iOS (and macOS) don't have such a feature)I don't think that this behavior maps up with users' expectations of the software. And for Signal to ship knowingly with a default setting that violates user expectations for a secure messaging app, well, I don't like it.
Don't get me wrong, I love the Signal product, and I've donated financially to it multiple times. But this ain't right.
@wdormann @Mer__edith FWIW, at least some Android flavors have Notification History feature too. e.g. my Samsung phones have had it for years.
In UI it only shows 24 hours of history and doesn't show uninstalled apps, but not sure if older or uninstalled app notifications are actually deleted behind the scenes.
I agree Signal should have No Content by default. Also needs clear warning about risks when relaxing settings.
-
@wdormann @Mer__edith FWIW, at least some Android flavors have Notification History feature too. e.g. my Samsung phones have had it for years.
In UI it only shows 24 hours of history and doesn't show uninstalled apps, but not sure if older or uninstalled app notifications are actually deleted behind the scenes.
I agree Signal should have No Content by default. Also needs clear warning about risks when relaxing settings.
@wdormann Now I'm wondering how Windows behaves here too. Can't test now but IIRC it does store notifs for at least a few days.
-
Let me get this straight...
The default setting for Signal on an iPhone allows law enforcement to see the content of all incoming messages, even after the app has been deleted?
@wdormann I've moved to telepathy. Use this link to start chatting https://en.wikipedia.org/wiki/Telepathy
-
@Mer__edith
Note the precise use of deleted messages here. When you uninstall the Signal app, that doesn't flag it's messages as "deleted" so that Apple can remove them from the notifications database. (If Apple would ever comply with Signal's demands. iOS (and macOS) don't have such a feature)I don't think that this behavior maps up with users' expectations of the software. And for Signal to ship knowingly with a default setting that violates user expectations for a secure messaging app, well, I don't like it.
Don't get me wrong, I love the Signal product, and I've donated financially to it multiple times. But this ain't right.
@Mer__edith
This apparently is addressed as CVE-2026-28950What is unclear is what is meant by
Notifications marked for deletion could be unexpectedly retained on the device
Is this only disappearing messages in Signal? Or any notification that has been acknowledged?
-
@Mer__edith
This apparently is addressed as CVE-2026-28950What is unclear is what is meant by
Notifications marked for deletion could be unexpectedly retained on the device
Is this only disappearing messages in Signal? Or any notification that has been acknowledged?
@Mer__edith
Apparently it applies to deleted apps as well.
