Apple rolls out iOS 26.4.2 to fix a flaw that allowed the FBI to access push notifications
Source: Engadget
Background
Apple’s latest iOS update fixes a flaw in its notification database that allowed law enforcement to view deleted push notifications on an iPhone or iPad. The security flaw let agencies such as the FBI circumvent Apple’s strict stance on user privacy, according to the Electronic Frontier Foundation (EFF). Since 2023, Apple has required a court order to share notification data (Engadget).
Apple’s Update
According to the update notes, iOS 26.4.2 introduces improved data redaction to address an issue where “notifications marked for deletion could be unexpectedly retained on the device.” The update is available now for:
- iPhone 11 and later
- iPad Pro 12.9‑inch 3rd generation and later
- iPad Pro 11‑inch 1st generation and later
- iPad Air 3rd generation and later
- iPad 8th generation and later
- iPad mini 5th generation and later
FBI Exploitation
The FBI’s use of this iOS notification flaw was first reported by 404 Media. The agency employed a tool to access Signal notification data stored locally on an iPhone even after the messages were deleted.
Signal CEO Meredith Whitaker later acknowledged the issue on Bluesky, stating that “notifications for deleted [messages] shouldn’t remain in any OS notification database, and we’ve asked Apple to address this.” She advised Signal users to adjust their settings so push notifications would not include the messenger name or message content.
Signal’s Response
In reaction to today’s news, Signal posted on Bluesky that it is “very happy that today Apple issued a patch and a security advisory” (Signal on Bluesky).
Privacy Implications
The EFF notes that notification privacy is vulnerable in at least two places:
- The cloud – notifications pass through a company’s servers and may be partially logged as metadata.
- Local storage – notifications are stored on the device itself.
Apple’s update should make deleted notifications inaccessible, but limiting what is visible in notifications in the first place remains an important consideration.
Update
April 22, 6:40 PM ET: This story was updated after publication to include the comment from Signal.