647
FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database
(www.404media.co)
this post was submitted on 09 Apr 2026
647 points (99.2% liked)
Technology
83666 readers
3936 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If you turn off notification history on Android, should be enough to avoid such "attacks". Hiding sensitive content inside notifications only hides it in the lock screen. If your OS keeps a clear log of them, it's useless.
Edit: didn't know Signal actually has settings to hide their own notifications. I was thinking about Android's "hide sensitive content" setting.
Notifications go through FireBase Cloud Messaging (FCM) on Android. They bounce off a Google server. Even from local, on-device apps.
Same with iOS.
They can read and store every one of them, and you don’t control the encryption keys.
Local, on-device apps don't need to go through FCM or any other servers to show notifications, apps generate notifications offline.
Same goes for Signal, it doesn't ask FCM to deliver a notification, it asks to deliver a wakeup ping, and then the Signal app gets the message and generates a notification locally.
Signal only sends a "new message, retrieve the rest from Signal" ping to your phone through Firebase. It doesn't contain message details, just that you have a new message.
But they only instruct Signal to wake up and download whatever is waiting. They don't contain the message contents.
By not having Google Play Services, isn't this prevented?
If you don't use Google Play Services, you don't get push notifications, so yes. Libre reimplementations of Google Play Services such as Gapps etc. or alternative push notification providers do not circumvent this issue, except possibly self-hosted push notification providers. This approach is really rare though and limited generally to very few apps.
This is about a history of notifications locally on the phone.
This is implemented outside of gms at least on my rom, and in the past I have also installed a separate app to do the same.
If you log your notifications ... that log can leak your notifications.
Yes, I know! Sorry for the confusion, I just wanted to take the opportunity to raise awareness about a privacy issue that lots of people aren't aware of
I don't use Play Services and still get push notifications from Signal, so they're clearly using an alternative implementation.
You might be getting pull notifications, that's generally the workaround for push notifications being disabled - it generally increases battery usage because it forces the app to stay open in the background.
Molly supports unified push
That would make sense.
If I turn off notifications on my end, does the other person still generate a push notification when they send me a message, even if I never receive it?
Edit: Sorry, I think I misunderstood your question. If you don't have Google Play Services enabled but your friend does and messages you, no, a push notification won't be sent, but if you message them, one will be sent to them.
I thought you were asking if you just disabled notifications on your phone if that would prevent push notifications from being sent. I'll leave my original answer in case someone else has that question.
It depends on what exactly you mean, but usually not. If you mean in your phone's notifications management settings, that does not affect the push notifications being sent to Google/Apple servers, that's just a local setting to decide how your phone handles it.
Some apps, though rarely, allow you to disable push notifications from being sent. If it exists, this is inside a settings screen in the app itself or on the app provider's website somewhere. Generally, only privacy-conscious apps provide such settings.
So how does it decide to generate a push notification or not?
To send you a push notification, an app requires a special token specific to that app and your device, kinda like an API key, which can only be generated for a device using Google Play Services. Without that token, a push notification cannot be sent. These tokens expire, so if you used Google Play Services and just turned it off, push notifications will still get sent into the ether - but never delivered - until the token expires, at which point notifications can't be sent anymore. Badly developed apps might still try to send push notifications with expired tokens, I have no idea what Google servers would do with that, but I'd guess they would just discard it immediately.
Is this true if you don't have Google Play Services but the person you're messaging does? Is one person cutting GPS out enough?
The message you send them would probably go through as a push notification to them, but the message they send you wouldn't.
Notification logging is usually done by some other part of android as far as I know. GMS is the typical way to deliver notifications and is a far more serious privacy concern, since it also directly passes googles servers and is not encrypted. However as others mentioned, signal does not send contents there, message notifications with the message contents stay on device.
@4am @MrSoup wtf
I'm actually talking about sensitive data on Google/Apple hosted servers, as well as on the phone itself!