How convenience can become a dramatic security hole

TiX0 · April 14, 2026, 1:01am

This is an interesting story where the FBI could recover private Signal messages on an iPhone.
Even though the suspect had deleted all her messages and uninstalled the App, there is something nobody (but the Agency) thought about: notifications.
Notifications are so ubiquitous, part of the daily life, really - who would think they could be a security loophole ultimately sending you to jail…

With a notification, usually the phone will shows a little preview on the screen and it is then stored by the OS in the iPhone’s push notification database. Just have to read it in cleartext - so easy and convenient!
As I’ve always said: convenience is usually the enemy of security

irvinewade · April 14, 2026, 4:31am

Illustrates a couple of points:

the power of defaults - notifications for an E2EE messaging app should default to appropriate security
security requires a careful analysis in every part of the process.

j_s · April 14, 2026, 4:15pm

So, does PureOS have a notifications database, and if so does it have a column containing preview text?

irvinewade · April 14, 2026, 11:46pm

And supplementary question … even if, let’s say, a notification is temporarily stored somewhere and then subsequently deleted … is it really deleted?

If you store a row in an sqlite database and then delete the row … is the information really deleted? It can be quite difficult to gain control of that kind of thing when you have layers of software. This is in no way specific to sqlite.

Dlonk · April 15, 2026, 1:22am

Actually as soon as I realized these all go through a central server owned by device manufacturer I pretty much lost faith in them.

Notifications are a big security hole, that’s why they’re pushed on us.

irvinewade · April 27, 2026, 4:47am

Reportedly this is fixed in iOS 26.4.2 (released in the last few days).

Fixing security one jailbird at a time …