iOS 26.4.2 Fixes a Quietly Concerning Notification Bug
PixieMe / Adobe Stock
Toggle Dark Mode
While iOS 26.5 inches toward a likely May release, Apple is tiding everyone else over with iOS 26.4.2, a relatively minor update that fixes at least one privacy issue along with the other usual “bug fixes and security updates.”
The release notes for this one are sparse, so it’s unclear if it fixes any specific user-facing problems, but it does address a known issue with notifications being retained that’s important enough to be listed on Apple’s security updates page:
Notifications marked for deletion could be unexpectedly retained on the device
Whatever is going on here, it’s also serious enough that Apple has also pushed out iOS 18.7.8 with the same fix. These are accompanied by corresponding iPadOS 26.4.2 and 18.7.8 releases, but there’s nothing for macOS, watchOS, or visionOS, so it’s likely the problem only affected the iPhone and iPad.
Although most users wouldn’t have noticed this problem, as deleting a notification still removed it from the user-facing view, Apple’s notes suggest that they were still living under the hood somewhere.
Considering the kind of data that often shows up in notifications — everything from personal messages to financial information, login codes, and password reset links — this could pose a serious problem, which is why Apple considers this to be an important “security” fix.
It’s unclear what Apple means by “retained” in this context, but it’s highly likely this is directly related to a 404 Media report from last week where the FBI was able to extract a suspect’s deleted Signal messages from the iPhone’s Notification database.
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.
Joseph Cox, 404 Media
What’s noteworthy about the FBI case is that these notifications persisted even after the app was deleted. In other words, iOS wasn’t properly cleaning up after itself, allowing data that should have long been purged to be forensically extracted.
That’s especially concerning considering that Signal is seen as a secure messaging app. Of course, it’s fair to say that it is — and it’s certainly much better than using iCloud without Advanced Data Protection — but what many folks don’t realize is the end user device is always the most vulnerable piece of the puzzle, as messages have to be decrypted eventually so that they can be read by a human. That’s the real reason it was so concerning when US officials were using Signal for top secret chats on personal iPhones last year.
Leaving aside the possibility of an iPhone being targeted by mercenary-grade spyware like Pegasus, there’s always the possibility of a security flaw exactly like this one — and it’s a good reason to pay close attention to notification settings when using secure apps.
“Signal already has a setting that blocks message content from displaying in push notifications,” 404 Media’s Cox notes, adding that “the case highlights why such a feature might be important for some users to turn on.”
In theory, iOS 26.4.2 should close this loophole, it’s still a good idea to audit your notification settings if you’re using Signal or other secure apps and would prefer your notifications aren’t leaking personal information onto your lock screen.
