Signal is a secure and encrypted messaging app. That’s why you see so many stories about police finding strange workarounds to read Signal histories, rather than them just getting them from Signal. Meta could tell anyone a lot of information about your WhatsApp chats. Signal could tell them nothing. The fact is, our phones are made to be convenient, not secure. So when you try to build something secure on top of them, you have to make things a little less convenient if you want them to be secure. If you don’t, someone could find that backdoor you left open.
The FBI was able to gain access to a Signal user’s received messages thanks to a flaw in iOS’s notifications database. Signal wasn’t cracked. Messages going between people are still encrypted and secure. But, if you make the wrong choices with your security, you can expose at least segments of those chats in a number of ways.
Recently, during an unprecedented raid of a Washington Post journalist’s home and electronic devices, the FBI was able to access her Signal chats because she had Touch ID on her MacBook and had signed into Signal there. The lesson was to disable biometrics on any devices you have sensitive communications on, as law enforcement can force you to break into your devices, but they can’t force you to provide a password.
After seeing that successful breech, we went over other steps you could do to make Signal more secure, like turning off contact uploads, using the screen lock feature, and more.
Now we have a new tip. In one of the Trump Regime’s attempts to turn all political opposition into “terrorism,” a case of protesters and a bad actor has become another insight into our security. A protestor had their Signal chats accessed because their phone saved a cache of their notifications, and police had gotten into their phone already to view it.
Here’s how you can prevent them from getting access in the first place, and how to keep your notifications from exposing your chats.
In This Article:
How Did Signal Leak Chats This Time? Blame Apple.
“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device.”
– Anonymous supporter of the defendant, speaking to 404 Media
Apple has, in one way or another, been the cause of the past two large news stories involving Signal. First, is the fact that they don’t make it easy to quickly turn off biometrics on a Mac or iPad. This means if someone had Signal on multiple devices, law enforcement could force someone to unlock their chat history. The iPhone has this, but for some reason, Apple hasn’t given the Mac or iPad this necessary feature.
This current leak is an equally ridiculous reason, and Apple once again could easily fix the problem, but likely won’t.
The FBI was able to gain access to a suspect’s phone, through unknown means. Perhaps they got the password, or maybe they used biometrics. Maybe they hacked it. The how doesn’t matter, the point is that the FBI had unencrypted access to the user’s phone. Once they had that, they could go through a complete backup of the device with a computer, searching through parts of your phone you can never access with your iPhone.
Once inside, they were able to find an on-device database of every notification the iPhone received. For some reason, Apple stores every notification in a database and does not delete the files if you delete the app that used those notifications. They didn’t even make an option to clear this cache! There’s no way to stop this from just piling up data, taking up space on your device, and potentially revealing private chats to others.
For secure messaging apps like Signal, this means that even if you’re using disappearing messages or deleting chats on your own, there’s still a place on your iPhone that will permanently store excerpts of what you received and who sent them, potentially timestamped and with other metadata. While you can’t currently clear this database, you can ensure you stop adding to it.
And Android users? Pay attention! Android push notifications are not largely different than iOS notifications. You’ll probably want to do the same. Not only does every single iOS app have this issue, from mail to social media to Signal, but it’s possible if not likely that Android phones may be doing the same thing, so be sure to take steps to lock your notifications down.
Keep Your Notifications Safe
It’s not enough to have your notifications only display information when your device is unlocked. That information is still getting stored somewhere. What you have to do is obvious: keep message previews out of your notifications. While it might be helpful for some apps, such as news apps, you’ll want to turn it off for anything you may want to keep private. Signal, fortunately, makes this easy. Not all apps do. But you still have options for apps that may not give you as many privacy options.
In Signal
Start off by modifying your Signal settings to remove information
- Tap your profile icon in the top left corner
- Select Settings
- Select Notifications
- Under “Notification Content” select “Show…”
- Select either “Name Only” or “No Name or Content.” The latter is preferable.
This will be enough to protect you, but you may want to take it a step further by also turning off this information in iOS settings so no data can display on the lock screen
In iOS Settings
- Open the Settings App
- Scroll down to Notifications and tap it
- Scroll down to Signal and tap it
- Under “Lock Screen Appearance,” select “Show Previews”
- Select “Never”
You should also update to iOS 26.4.1. It seems Apple may have changed how they validate push notification certificates in 26.4, but a patch in the latest update may fix an issue with it. However, it’s unclear if this update changes anything with the notification database. It might be in response to Apple’s decisions once again making their devices less secure, but Apple hasn’t commented.
Use a Good Password!
This database of notifications is only available if your device is unlocked. If you want to protect yourself, you can just make it harder to unlock your phone. First, stop using biometrics. Turn off FaceID or TouchID if you’re going to a protest or otherwise think you could be at risk. If you can’t do that, you can always push the lock button 5 times or press and hold the volume up and lock button for a few seconds to turn off biometrics and re-encrypt your device with your password only.
Now, as for that password? I’m sorry, but you’re going to have to ditch the numerical password. You’d need dozens of digits to match what you could get from an alphanumeric password, or one that also includes symbols. You should use a password that includes at least 16 characters, numbers, letters, and symbols. This may be why you’ll want to keep biometrics on most times, but if that’s the case, you’ll always have to have your phone close at hand to quickly re-lock it.
To set up an alphanumeric password for your device, start by going to settings.
- Open Settings
- Scroll down to Face ID and Passcode (this may be Touch ID and passcode if your device does not have Face ID)
- Enter your current passcode
- Scroll down to Change Passcode and tap it
- If you turned on Security Delay for stolen device protection, as you should, you’ll now have to start a 1 hour wait before you can change your passcode
- Wait until the timer is up, you’ll receive a notification
- Now you can enter a new passcode.
- Choose passcode options and select “Alphanumeric”
- Now enter your new password twice
- You can use your old passcode for 72 hours, just in case you forget
My recommendation is to shoot for between 16-25 characters. You can choose whole words, a short sentence or phrase. Don’t limit yourself, but don’t make anything too obvious.
Why Was the FBI After These Chats Anyway?
“Federal prosecutors in this case told a panel of Northern District of Texas residents with a straight face that lighting off fireworks on the Fourth of July was terrorism, was a riot.”
– Kydia Koza, wife of Autumn Hill, who was convicted on charges related to “terrorism” for their part in an act of protest with one violent member
Now this is a depressing question to answer. In northern Texas at an ICE detention center, a group of protesters planned a 4th of July fireworks show as a protest. They figured they’d do a “noise demonstration,” disrupting the peace and showing off a little patriotic joy. Perhaps even brightening the day of the detainees. Their goals were noble, cute in the way that only humans could be. Unfortunately, one organizer may have had other ideas. He brought a gun, and shot at an officer, who may have drawn his weapon first, but was not permitted to call that self defense.
This would be as simple as a single attempted murder charge if not for the fact that we are living under a fascist regime. Trump declared that being anti-fascist is terrorism, causing every Allied WW2 soldier to roll over in their grave. As such, the entire group was charged with terrorism, and could do decades behind bars. It seems many were not even near the shooting or knew that one of them had a gun. They were all charged anyway.
The president who pardoned everyone involved with an actual violent insurrection attempt that included homemade bombs, weapons, multiple deaths and serious injuries, zip ties, a noose, and hunting down senators wants you to believe that setting off 4th of July fireworks is an act of terrorism.
Careful this July, going to a fireworks show with someone wearing a “Hate won’t make us great” shirt could land you six decades behind bars.
This marks the first time someone has been charged for an association with anti-fascist organizing. It won’t be the last.
Be More Careful!
Too often I have to remind people that they’re the only ones looking out for themselves online. No one is between you and your data, you have to be your own security.
There’s a fascist in charge of one of the most powerful countries in the world threatening nuclear holocausts every time he doesn’t get his way. This case involved one person committing a crime and everyone who had organized the event the shooter was at with terrorism because of their political beliefs. We live in a country where, if you’re against fascism, any crime can be elevated to “terrorism,” simply for having the official stance on fascism that America had since 1942 until Trump was reelected.
“I feel like it turned its back on justice with this. … The U.S. lost today with this verdict.”
– Christopher Weinbel, one of the alleged “antifa terrorists” lawyers
If you live in a fascist state, you’re going to have to take measures to protect yourself. Don’t be caught slacking on security. There’s no promise that America will start bending the arc of history towards justice ever again. Don’t do anything stupid, don’t seek violence, and protect yourself, it’s all we can do.