Apple Slams the FBI’s Latest iPhone ‘Backdoor’ Shut

Last week, Apple released a relatively small iPhone software update that fixed a somewhat big problem. In doing so, the company also served notice that, although it will fully comply with legitimate requests from law enforcement, it won’t leave privacy loopholes in place to be exploited by anyone — even the FBI.

When iOS 26.4.2 showed up a week ago, it appeared to be little more than the usual “bug fixes and performance improvements.” However, a look at Apple’s security updates page showed that there was also a fix for a problem that could leave notifications lying around long after they’d been deleted.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

While that didn’t seem like much on the surface, it followed a report from 404 Media earlier this month on how the FBI had extracted content from a suspect’s deleted Signal messages via the iPhone’s Notification database.

That’s an alarming vulnerability, considering that Signal is supposed to be one of the most secure and private messaging apps available. While that’s certainly true for the app itself and its underlying communications network, the weakest link in any secure encryption chain is always the endpoint, where the messaging payload eventually has to be decrypted so it can be read by a human.

In this case, it’s also decrypted so that the iPhone can show a notification, whether that’s on the user’s Lock Screen, as a banner, or simply tucked away in the Notification Center. Like most apps, Signal includes a snippet of the message in its notifications, which means they’re stored on the iPhone outside the Signal app — in a common database used by iOS for all notifications.

The FBI case in question involved a group of vandals at the ICE Prairieland Detention Facility in Alvarado, Texas last summer, one of whom shot a police officer in the neck. Several people were charged for alleged “Antifa” activities, and during the investigation, forensics experts found that one of the suspects had been communicating via Signal, and while they weren’t able to retrieve the actual contents from the Signal app, the iPhone owner had left notification previews enabled for Signal, and their notification database contained a treasure trove of deleted notifications for the messages they’d received.

Although Apple didn’t say it outright in its security release notes, it seemed obvious that iOS 26.4.2 was intended to close this loophole, and Signal also shared its delight that Apple had fixed the problem while pointing to the FBI’s use of it and advising users that there’s nothing they need to do to protect the app other than installing iOS 26.4.2 or a later update.

In a follow-up report, 404 Media shared that Apple had reached out to them to tacitly confirm this, while adding that the new patch also “retroactively purges any of those saved notifications” and that it’s Apple’s “policy to remove any associated notifications when a user has deleted an app.”

Perhaps unsurprisingly, the Alvarado case is far from the first time the FBI has taken advantage of this bug. In today’s report, 404 Media’s Joseph Cox points to several other cases revealed in court records and FBI Special Agent testimony in which the FBI was able to recover incoming Signal messages from the iPhone’s notification database — in some cases even after the user had deleted the Signal app entirely from their iPhone.

The bug likely went unnoticed by Apple until the 404 Media report, as the FBI certainly wasn’t about to lose its advantage by telling Apple about this data retention flaw. While Apple’s security release notes don’t credit any specific individual or group with the finding, those are typically only listed in situations where a formal report has been filed by security researchers, not when something merely pops up as a result of coverage in the media.

This latest issue is listed in the Common Vulnerabilities and Exposures system as CVE-2026-28950, and is fixed in iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8 for devices still on the iOS 18 track. It doesn’t appear to exist in older iOS/iPadOS versions.

Apple has had a rather complicated relationship with law enforcement over the years, which came to a head in 2016 when the FBI pushed the company to unlock an iPhone 5c belonging to San Bernardino Shooter Syed Rizwan Farook. Since iOS uses hardware encryption, this would have required Apple to deliberately create a special version of iOS with a back door for the FBI. The company refused to do so, with CEO Tim Cook famously calling it “the software equivalent of cancer” and refusing to weaken iPhone security as it’s impossible to create a security loophole that can only be used by the “good guys.” Apple stood its ground in face of legal threats, and the FBI eventually figured out another way to break into the shooter’s iPhone.

Since then, the FBI has continued to find ways into locked iPhones, even as Apple not only refuses to help but actually makes things even more difficult with features like Lockdown Mode, and Advanced Data Protection — and not because it’s fighting the FBI. Apple still willingly helps law enforcement where it can, and despite what some politicians would have you believe, it’s not trying to create “a safe haven for criminals.” However, Apple wants to ensure its users are protected from much darker forces with even deeper pockets