Kii Message Database

Julian Sterling

-Apr 14, 2026, 11:57 PM

TL;DR: - FBI agents extracted deleted Signal messages from a defendant's iPhone — even after Signal was completely uninstalled — by pulling them from Apple's push notification database. - The technique was revealed during testimony by FBI Special Agent Clark Wiethorn in a federal terrorism case tied to a July attack on an ICE detention facility in Texas. - This isn't a Signal flaw. Any messaging app that shows message content in notifications leaves traces in iOS storage that survive app deletion. - Only incoming messages were recovered.

Outgoing messages don't pass through the push notification system. - Fix it in 15 seconds: Open Signal → Settings → Notifications → Notification Content → select "No Name or Message." This prevents iOS from storing readable message text. What Happened in Court In April 2026, FBI Special Agent Clark Wiethorn took the stand in a federal terrorism trial and described something that should worry every Signal user.

Defendant Lynette Sharp had pleaded guilty to providing material support to terrorists in connection with a July attack on the ICE Prairieland Detention Facility in Alvarado, Texas. The group allegedly set off fireworks, vandalized property, and one member allegedly shot a police officer in the neck. It was the first case where authorities charged defendants for alleged "Antifa" activities following President Trump's designation of the umbrella term as a terrorist organization. Sharp had deleted Signal from her iPhone. She probably thought that destroyed the evidence. It didn't.

The FBI used forensic extraction tools to pull copies of her incoming Signal messages from a database she didn't know existed: Apple's push notification storage system. As 404 Media's Joseph Cox first reported, the messages were sitting in the iPhone's BulletinBoard framework — the system iOS uses to manage notifications — completely independent of the Signal app itself. How Your Phone Betrays Your "Encrypted" Messages Here's the pipeline that turns end-to-end encryption into a forensic evidence trail: - Signal receives an incoming message.

The message arrives encrypted and gets decrypted on your device. So far, so good. - Signal generates a notification. If you have message previews enabled (the default), Signal hands the decrypted message content to iOS to display on your lock screen. - iOS stores the notification. Apple's BulletinBoard framework — located at /private/var/mobile/Library/BulletinBoard/ — caches notification data including the full message text, timestamps, and the sending app's identifier. - You delete Signal. The app is gone. But the notification database entries? They stay.

iOS doesn't purge notification records when an app is uninstalled. - Law enforcement seizes your phone. Using commercial forensic tools like Cellebrite UFED or Magnet AXIOM, they extract the notification database and read your "deleted" messages. The critical detail: this only captures incoming messages. Outgoing messages you sent don't generate push notifications on your own device, so they bypass this storage entirely. But incoming messages — the ones other people sent you — survive in a database most iPhone users have never heard of. This Isn't a Signal Bug.

It's an iOS Problem. Signal's encryption works exactly as designed. Messages are encrypted in transit and decrypted only on the recipient's device. The protocol is solid. The problem is what happens after decryption. Once iOS gets the notification text, it's Apple's system managing that data — and Apple's system that retains it. This means every messaging app with content previews is affected. WhatsApp, Telegram, iMessage, even email apps. If a notification shows you message content on your lock screen, iOS is caching that content in a forensically recoverable database.

Security researcher Andrea Fortuna broke down the technical details: the notification database's accessibility depends on the device's encryption state. After you enter your passcode the first time (moving from "Before First Unlock" to "After First Unlock" state), the notification data becomes accessible to forensic tools. Since most seized phones are in AFU state — your phone's been unlocked at least once since the last reboot — the data is typically there for the taking.

The mutable-content: 1 flag that Signal uses to decrypt message content via its Notification Service Extension is the exact mechanism that creates these forensic artifacts. The app decrypts the message, formats it for display, and iOS faithfully records the result. The $15,000 Gadgets Reading Your Notifications Law enforcement doesn't need to hack Signal's encryption. They just need physical access to your phone and one of several commercially available forensic tools: - Cellebrite UFED — Used by over 5,000 law enforcement agencies worldwide.

Can perform "advanced logical acquisition" that extracts system databases including notification storage. - Magnet AXIOM — Parses iOS backup protocols and system-level data stores. Specifically designed to recover artifacts that survive app deletion. - GrayKey (Grayshift) — Can bypass iPhone passcodes in some configurations, giving full filesystem access including notification databases. These aren't theoretical capabilities. Agent Wiethorn testified about using them in a federal courtroom. This is standard practice. The tools exploit a fundamental gap: Signal protects messages in transit. Apple protects data on disk with filesystem encryption.

But between those two protections — in the moment iOS receives notification content and writes it to a database — there's a window. And that window stays open permanently, because iOS doesn't clean up after deleted apps. Push Notifications: The Surveillance Backdoor Nobody Talks About This isn't the first time push notifications have created a privacy problem. In December 2023, Senator Ron Wyden revealed that the U.S. government had been secretly demanding push notification records from Apple and Google.

Those requests captured metadata — which app sent the notification, when, to what device — flowing through Apple and Google's servers. This new technique is different and arguably worse. The FBI isn't requesting metadata from Apple's servers. They're recovering decrypted message content from your physical device. Content that end-to-end encryption was specifically designed to protect. The architecture of push notifications creates two separate surveillance vectors: - Server-side: Apple and Google see notification metadata (and sometimes content) when it transits their Push Notification Service infrastructure. Governments can subpoena this.

Device-side: iOS caches notification content locally in a database that survives app deletion. Law enforcement can extract this with physical access and forensic tools. Encrypted messaging promised one thing: only you and the recipient can read your messages. Push notifications quietly broke that promise from day one. Fix This Right Now The good news: you can shut this down. The bad news: it's not the default setting.

Signal (do this first) - Open Signal - Tap your profile icon (top left) - Tap Notifications - Tap Notification Content - Select "No Name or Message" This tells Signal to send a generic "New Message" notification instead of the actual text. iOS caches "New Message" — useless to forensic tools.

Settings → Notifications - Disable "Show Preview" for both Message and Group notifications Telegram - Settings → Notifications and Sounds - Disable "Message Preview" under each notification category iOS system-wide (belt and suspenders) - Settings → Notifications - Tap "Show Previews" - Select "Never" or "When Unlocked" "When Unlocked" is the minimum — it prevents content from being cached while the phone is in BFU state. "Never" is safer. You'll still get notification alerts; they just won't contain readable message text. Already compromised?

If you've been running Signal with default notification settings, your notification database already contains cached message content. Changing the setting only prevents future messages from being stored. Old artifacts persist until they're overwritten by the system — which iOS does eventually, but there's no way to force it. For high-risk individuals: a full device wipe and restore (not from backup, which may include the notification database) is the nuclear option. Most people don't need to go that far. Just change the setting and move forward.

Sources - 404 Media: "FBI Extracts Suspect's Deleted Signal Messages Saved in iPhone Notification Database" - 9to5Mac: "FBI used iPhone notification data to retrieve deleted Signal messages" - Cyber Insider: "FBI retrieved deleted Signal messages from iPhone notification database" - Andrea Fortuna: "When deleting Signal is not enough: the FBI, iPhone notifications, and what forensics can reveal" - CDM: "FBI Recovers Deleted Signal Messages From Suspect's iPhone Via Notification Database In Texas Terrorism Case" - Senator Wyden: "Wyden Reveals U.S.

Kii Message Database

People Also Asked

Deleting Signal Wasn't Enough. The FBI Read the Messages Anyway ...?

FBI extracts suspect's deleted Signal messages saved in iPhone ...?

FBI Recovers Deleted Signal Messages From Suspect's iPhone Via ...?

Podcast: How the FBI Extracted Deleted Signal Messages?

How the FBI Extracted Deleted Signal Messages From a ... - Lifehacker?