The FBI successfully extracted private Signal messages from a defendant’s iPhone in a Texas federal case, even though the app had been deleted from the device. The discovery, which surfaced during courtroom testimony in April 2026, reveals a forensic gap between Signal’s end-to-end encryption and how Apple’s iOS handles message notification previews.
The case involves a July 2025 incident at the ICE Prairieland Detention Facility in Alvarado, Texas, where a group allegedly vandalized property and one person shot a police officer. Defendant Lynette Sharp had previously pleaded guilty to providing material support to terrorists.
During trial proceedings, FBI Special Agent Clark Wiethorn testified about evidence recovered from Sharp’s seized iPhone. According to courtroom accounts and an exhibit summary published by a defense support group, messages were recovered from Apple’s internal notification storage despite Signal having been removed from the device. Only incoming messages were recoverable through this method. Outgoing messages were not captured.
The technical mechanism behind the recovery centers on how iOS handles push notifications. When an incoming Signal message arrives, the phone’s operating system, not the Signal app itself, generates a lock screen preview. iOS stores that preview in an internal notification database. Even if Signal later deletes the message or the app is uninstalled entirely, the cached preview can remain in that database. FBI agents used Cellebrite, a commercial forensic tool widely used by law enforcement agencies to extract data from seized devices, to pull the information from the notification cache.
Signal’s end-to-end encryption remains intact. The FBI did not break the encryption or access Signal’s servers. The vulnerability exists entirely at the device level and only becomes accessible when investigators have physical possession of the phone and can run forensic software on it. Remote extraction of notification cache data is not possible through this method.
On the other hand, Signal does offer a setting that prevents this. Under Settings, users can navigate to Notifications and set notification content to “No Name or Content.” This stops the app from sending message text or sender names to the lock screen preview. Without that preview being generated, iOS has nothing to cache and nothing for forensic tools to extract.
Security researchers noted the same vulnerability likely affects other encrypted messaging apps that allow lock screen previews, not just Signal. Most users leave notification previews enabled by default for convenience, which inadvertently creates the forensic artifact.
Apple released iOS 26.4 around the same period, which changes how push notification tokens are validated, though any connection to this specific case has not been established. The incident has prompted privacy advocates and security experts to urge all Signal users to review their notification settings regardless of whether they have legal concerns, citing the broader principle that device-level data can persist in unexpected places long after a user believes it has been erased.
It’s worth mentioning that this issue isn’t exclusive to Signal; it can occur with any messaging app that displays previews, like WhatsApp or Telegram. Recently, Telegram’s founder, Pavel Durov, took to X to criticize WhatsApp’s encryption, labeling it as a significant consumer fraud.
