(techcrunch.com)
If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.
>If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.
This incorrect on two counts:
1. As per what you wrote immediately before the quoted text, the issue was that the OS keeps track of notifications locally. Google/Apple's notification servers have nothing to do with this
2. It's entirely possible to still have end-to-end messaging even if you're forced to send notifications through Google/Apple's servers, by encrypting data in the notification, or not including message data at all. Indeed that's what signal does. Apple or Google's never sees your message in cleartext.
Apple support applications sending encrypted notifications, where the OS launches the app the decrypt the notification body locally and pass it back to the OS for display.
This makes for a very odd and specific interaction with a 3rd party feature. Security is a hard problem.
I assume that "Name only" option results in the push notification only sending "Signal message from Bob", and the "No Name or Content" one only sending "You have a new Signal message" - instead of the whole "Signal message from Bob: Let's rob the bank tomorrow!"
If I could have it work the way I'd prefer, Signal would let me set those Notification Content on a per contact and per chat basis - so I could set my bank robbing crew and group chats to "No Name or Content" while leaving mom and the family group chat on "Name, content, and Actions".
(But realistically, if I _did_ have a bank robbing crew they'd all be on my burner phone, not the phone I do family group chat with.)
APNS just taps on the device's metaphorical shoulder and hands them a courtesy phone "call for you sir"
For a standard notification the content of that notification is sent through the push notification servers. This includes the title, text, icon, grouping, and sound presets to use. The majority of user-visible notifications are sent this way - the app on the device does not run.
That allows the OS to display your notification without ever running the app, which saves limited resources on the phone. Originally this was the only option, a push notification couldn’t start your app.
These days an app can also register a notification extension which is a standalone program that can modify the incoming notification. It has 30 seconds to do whatever it needs to, though you need to be careful with RAM use or the OS will kill the process and present the notification unaltered. Generally you’d put something generic in the push as a fallback.
There’s also background notifications. These let the app run for 30 seconds and the app can post a local notification during this time, but they’re not guaranteed to be delivered. The OS can decide the system doesn’t have the resources and defer or drop them, or terminate the app before it’s finished if the ram is needed elsewhere.
There are some other special cases depending on what your app does.
Technically, so can the OS's text drawing primitive while drawing Signal's UI.
We have no idea if this actually works or even what our does, because we can't see the source code. We just have to take Apple and Google's word for it. Which is not exactly a smart thing to do.
“find the inclusion of this information interesting because there is a chance that this still contains communications even when the record has been deleted from the sms.db file. I've yet to find definitive proof that this is the case however and it's possible that it is purged at the same time as sms.db is cleared.”
From: https://web.archive.org/web/20220120174606/www.doubleblak.co...
See also: https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-...
A Firebase Cloud Messaging push notification contains what the app developer's server puts in it. That could include the message body or it could just be an instruction to the app to poll the server for new messages. It has nothing to do with the notification that's displayd on an Android device. Those are entirely local.
An app that cares about privacy wouldn't send anything more than a poll instruction over FCM.
But if you have strong end-to-end encryption for messages, then you don’t have to care about the transport anymore, you assume they’re all compromised. At that point you might as well use the push notification system as your transport, given both OSs allow applications to intercept the push notification locally and decrypt it before it’s displayed to the user.
I'm pretty sure that's the default in GrapheneOS. Or at least that's how mine behaves.
With Matrix apps, certain metadata is pushed from the chat server, to a push server, through Google and then to my device. But the message is not part of that data - it's E2EE. What happens is the app wakes up from the metadata notification, and then fetches the message and displays it in the notification field.
Your last point is correct, at least until/unless this is remedied in Android, too.
For many apps, they choose to do it this way. For most e2ee apps, they do not. The notification displayed on screen does not need to be the notification pushed through APNS.
Fortunately you can choose the payload by yourself and just send a notification "ping" without any data about the messages. But if we're serious about security, you just don't ping the client about new messages because even the time and existence of a notification can be compromising. _The user will know that they got a message, when they open the app and see that they got a new message._
https://www.youtube.com/watch?v=a2eBDU5ea0A&t=392s
> "That largely depends on what an officer does outside of work. If someone is involved in corrupt dealings, and in fact, I know very few who aren't, then they reason like this. Can this messenger be monitored by internal security officers? Previously, many used WhatsApp. Almost no one used telegram because there's a wellfounded belief that this messenger is to some extent controlled by the Russian authorities. People used signal. Some use three months, but all that has now been shut down again. Why is it monitored? I think they're worried about a possible coup and trying to limit the ability to coordinate mass actions via communication channels from abroad. Hence the Max messenger. So now most security officers have switched to Chatty. That's a Dubai based messenger, but it's definitely not a universal remedy. Some have moved to Zangi, which is [clears throat] an Armenian app that markets itself as American. When it comes to targeting the opposition, the state will always find the resources. It's one of the main priorities, more important than any financial or commercial issue, even more than counterterrorism."
From the linked article:
> The independent news outlet reported that the FBI had been able to extract deleted Signal messages from someone’s iPhone using forensic tools, due to the fact that the content of the messages had been displayed in a notification and then stored inside a phone’s database — even after the messages were deleted inside Signal.
https://www.404media.co/fbi-extracts-suspects-deleted-signal...
The main problem, which is notifications text is stored on a DB in the phone outside of signal, is not addressed. To avoid that you have to change your settings.
In this case, the defendant had deleted the signal app completely, and that likely internally marks those app's notifications for deletion from the DB, so the bug fixed here is that they were not removing notifications from the local database when the app that generated them was removed, now they do.
Impact: Notifications marked for deletion could be unexpectedly retained on the device
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28950
Biome — /private/var/mobile/Library/Biome/streams/.../Notification/segments/ — the raw title/body logs
2. BulletinBoard + UserNotificationsCore — /var/mobile/Library/{BulletinBoard,UserNotificationsCore}/.{json,plist} — delivered + dismissed state
3. CoreDuet — /var/mobile/Library/CoreDuet/coreduetdClassD.db — SQLite that re-ingests Biome events
in this case as per reporting, defendant removed the app. unclear if they first dismissed them.
Much of the metadata is plaintext, in both Apple and Google's Push Notification architecture.
At no point does the push message payload contain message text or metadata, encrypted or not.
Or maybe it’s impossible for iOS to store the preview content if it never showed in the first place, but not sure if it’s even documented.
Settings > Apps > choose an app > Lock Screen Appearance: Show Previews - Never
The app itself must choose not to send the message text in the push notification.
Before anyone asks: No , I didnt turn on any setting to save all my messages to some external server and download them whenever, even if I delete them locally
And if the app isn't leaky, the OS will probsbly screw you like in this case. The concept of being able to clean up your laptop is just not supported, you have to wipe the whole device which is ridiculous.
But what about iMessage. The source code will never be available for neither the servers nor the app.
I disabled notifications and instead Signal reminded me to re-enable them…
Some people talking about it (different but in the same scope of issue): https://blog.davidlibeau.fr/push-notifications-are-a-privacy...
That would mean Apple stored the cleartext on-device after decryption.
despite "end-to-end" encryption (for WhatsApp) they are sending copy of some messages based on keywords to authorities, PRISM-like.
Officially to protect kids, but who knows what is in this keywords list.
For those on iOS 18, beware that the update to iOS 18.7.8 will toggle Automatic Updates back on. Make sure to switch it back off so you don't wake up to a nasty surprise when iOS 26 is non-consensually forced onto your iPhone.
The new iOS 18 update will _also_ toggle Automatic Updates back on. I had it happen just now on my 13 Mini against my will. I had to go back into settings and very carefully navigate to disable automatic updates.
The way major upgrades are presented in the Settings UI makes it clear that users installing these security updates while not upgrading to a newer major version do so very intentionally. So Apple is now supporting these users deliberately.
Some years ago I stopped depending on Apple's purchased downloaded movies for long flights, after an instance of having the files downloaded to the device beforehand, but Apple deciding I didn't have the DRM keys to play said files during a long transoceanic flight. I then moved to storing DRM-free movies in VLC, but iOS prioritized keeping system storage and other data cruft around, and wiped VLC's stored files. Talk about paying for an expensive device and media you don't really own.
I'd imagine the metadata picture that could be synthesized from that data could be extensive in some cases. This stuff is hard and I'm sure there are good reasons for caching things, especially on a device positioned to primarily act as a readily available front end for online stores, but I have a hard time believing that Apple's executing it well.
It’s not a perfect system so right now you still have to trust someone at some point in the chain.
Not sure how you're implying one leads to the other.
Not publicly, of course.
Ask yourself, do you really own your device? Can you access kernel? Can you flash your own firmware on your device? No?
Then you DON'T own it.
In this case they are patching out a data extraction path that was exploited to access data a user thought had been deleted.
Please substantiate that claim. Why would Apple need mystical third party devices to transfer data? They've designed both the user devices and the software, and they're both capable of exchanging data, and I'm sure Apple can do even more once they put the devices in diagnostic mode. What am I missing? What is Cellebrite providing here?
I’m sure Apple could do everything that box does and more. But why bother designing, building and manufacturing your own specialist device when someone else already sells a perfectly good tool that does the job.
Don’t forget this is for use in a retail store by people who will have been given 5mins training on how to use the device. You want something that just requires a person to plug two phones in and hit a big “go” button. And it needs to work 99% of the time with zero messing around.
People aren’t debating whether or not Apple could theoretically find a way to transfer data between the devices they make and sell. The question here is if there is any evidence for the assertion that Apple buys Cellebrite devices in lieu of making their own solution for transferring data between the devices that they make and sell.
https://phys.org/news/2010-12-air-playstation-3s-supercomput...
It’s like saying “Single Ladies” by Beyoncé is topping the charts.
Do you have a link that talks about Apple buying cellebrite devices presently?
Not saying they should use it to reverse engineer hacking tools.
Just saying they have access to Mythos now.
Wow, such a risky bet, I'm not sure it'll pay off.
trusting a valley company is the last thing you could do since there is a ton of money to be made from selling secrets
Let screens always show garbled pixel vomit, decoded on device only by your private AR glasses
Apple should have fixed this long ago (not that you can trust a closed system), but Signal should also have strong guardrails & warnings around allowing message content in push notifications.
To be fair, the day after Glasswing was announced [1] iOS 26.4.1 was released [2]. Three weeks later, we have 26.4.2. When I saw the update prompt, my first thought was security fixes from Mythos. (In reality, the data do not show that Apple is releasing iOS 26 versions more frequently after Project Glasswing was announced than it was before. If we see another release in two weeks, I think we can conclude at least a statistically-meaningful signal.)
Whatever Apple did to block access to the cache does not negate the fact that these notification messages are still being sent in plaintext through Apple and Google’s servers.
It’s hard to imagine that Apple/Google couldn’t just be compelled to hand this information over if ordered by a court and wouldn’t need your phone at all.
And this loophole possibly only hinges on the fact that most law enforcement maybe never realized this was something they could ask for.
Or perhaps this is happening and the public just doesn’t know it yet.
It has to do with the fact that any notification displayed on your device goes via a separate system service which was caching them.
It is amusing to see how often people confuse device notifications with Apple notification service.
Why can't we have notification history just like on Android then. It's very useful when you dismiss a notification you didn't want to, or you look for some old stuff.
UPDATING IOS WILL ENABLE AUTOMATIC UPDATES TO IOS 26.
(Bad!) This is a new shady tactic they're using trying to get iOS 18 users to install iOS 26.