Back
Technology

Apple Releases iOS Update to Address Notification Retention Vulnerability

Generated on: Last updated: 6 sources
View source

Apple Releases Urgent Security Updates for Notification Data Leak

iOS 26.4.2 and iOS 18.7.8 patch a critical vulnerability that caused deleted notifications to remain stored on devices, potentially exposing sensitive message content to law enforcement.

Update Overview

Apple released iOS 26.4.2 and iOS 18.7.8 on April 22, 2025, to address a security vulnerability in the Notification Services component. The update resolves an issue where notifications marked for deletion could be unexpectedly retained on the device.

Technical Details

The vulnerability, cataloged as CVE-2026-28950, involved a logging issue in iOS that caused notification content to remain stored on the device's internal database—even after messages were deleted within messaging applications or the applications themselves were removed.

Apple's security advisory describes the fix as "improved data redaction."

The update retroactively purges stored notification fragments and ensures that future notifications for deleted applications will not be preserved.

Availability

The update is available for:

  • iOS 26.4.2: iPhone 11 and later models, including iPhone SE (2nd and 3rd generation), iPhone 17 series, iPhone 17e, and iPhone Air, as well as several iPad models.
  • iOS 18.7.8: iPhone XS, XS Max, and XR for users who have not upgraded to iOS 26.

Background

According to reporting by 404 Media published earlier in April 2025, court testimony revealed that the FBI accessed an internal notification database on a defendant's iPhone in a case involving individuals at the ICE Prairieland Detention Facility in Texas.

The testimony indicated that the FBI recovered content from incoming Signal messages on the device, even after the Signal application had been removed from the phone.

A summary of exhibit 158 from the trial, published on a supporters' website, reportedly states:

"[M]essages were recovered from Sharp's phone through Apple's internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."

Defendant Lynette Sharp had pleaded guilty to providing material support to terrorists.

The vulnerability is specific to iPhones where Lock Screen notification previews were enabled. It did not breach Signal's end-to-end encryption but compromised privacy by storing notification logs. Signal's settings offer an option to prevent message content from being previewed in notifications, and the defendant reportedly did not have this setting enabled.

Company Statements

Apple stated in a security notice that the bug meant "notifications marked for deletion could be unexpectedly retained on the device."

Signal posted on their Bluesky and X accounts on April 22, 2025, expressing satisfaction with the update. Signal stated that once the patch is installed, "all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications."

Signal president Meredith Whittaker previously stated that the company asked Apple to address the issue, writing:

"[N]otifications for deleted messages shouldn't remain in any OS notification database."

Broader Context

The Electronic Frontier Foundation (EFF) noted that Apple's fix only partially addresses the issue, stating that law enforcement can still potentially access notification content through push notification channels. Push notifications are often routed through Apple or Google servers, potentially making content visible to these companies.

A 2024 study found that applications including Skype, Discord, WeChat, and JusTalk leaked message content via Google's push token service. Signal claims its notifications are processed entirely on the device and do not reveal message content.

According to publicly available data, Apple has complied with 958 of 1,408 law enforcement requests for push tokens globally over the past four years.

The forensic tool manufacturer Compelson published instructions in 2022 for exploiting this type of vulnerability through its MOBILedit Forensic tool, which is used by law enforcement agencies.

User Guidance

Apple recommends users update to the latest software version for security.

To update:

  1. Connect the device to a charger and Wi-Fi.
  2. Navigate to Settings > General > Software Update.
  3. Select "Update Now" or "Update Tonight."

The update is approximately 772 MB in size and installs in under 10 minutes.