Apple patches iOS flaw that let authorities read deleted push notifications

Apple has rolled out iOS 26.4.2, closing a security gap that previously allowed law enforcement—including the FBI—to retrieve push notifications from an iPhone or iPad even after they were deleted. The flaw stemmed from improper handling of notification data in local storage, circumventing Apple’s own privacy protections that require court orders for data sharing.

The patch focuses on “improved data redaction,” ensuring that notifications marked for deletion no longer remain accessible on affected devices. iOS 26.4.2 is now available across a wide range of Apple hardware, including iPhone 11 and later models, iPad Pro (12.9-inch, 3rd generation and up), iPad Air (3rd generation and up), and iPad mini (5th generation and up).

How authorities exploited the iOS notification flaw

The vulnerability came to light when 404 Media reported that the FBI used a specialized tool to access Signal notifications stored locally on an iPhone—even after users had deleted the messages. Signal’s CEO Meredith Whitaker responded on Bluesky, calling the flaw unacceptable and noting that “notifications for deleted messages shouldn’t remain in any OS notification database.”

In response, Whitaker advised Signal users to disable message content and sender names in push notifications. Signal later confirmed on Bluesky that it is “very happy that Apple has issued a patch and security advisory addressing this issue.”

Why notification privacy matters more than ever

The Electronic Frontier Foundation (EFF) highlights two critical points of vulnerability in notification privacy: cloud-based routing, where metadata may be logged by servers, and local device storage, where notifications are initially received. While Apple’s update aims to prevent access to deleted notifications, privacy advocates argue that stronger default controls—such as limiting what appears in notifications in the first place—could further reduce exposure.

For instance, disabling preview content in notifications can prevent sensitive information from being displayed on a locked screen or exposed in logs. Such measures complement Apple’s technical fix by reducing the data available in the first place.

What users should do next

All eligible iPhone and iPad users should install iOS 26.4.2 or later as soon as possible. Signal users may also want to revisit notification settings to minimize data exposure, even though the core flaw has been patched. Apple has not provided additional details on whether future updates will include broader notification privacy controls.

As digital privacy threats evolve, this update serves as a reminder that platform-level vulnerabilities can undermine user trust. Apple’s quick response reflects growing scrutiny from both privacy advocates and law enforcement, but ongoing vigilance remains essential for safeguarding personal data.