Notifications Privacy
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media.
Push Notifications can be sent encrypted (server controls the encryption) and decrypted locally with a
UNNotificationServiceExtensionrunning on the device. Signal and other E2EE apps do this.
But then the decrypted notification gets saved to the database.
So iOS should probably delete an app’s entries from the notifications database when said app is deleted…
More than that, you may not want certain notifications to even be posted. As I discussed back in 2015, the Notification Center settings only control what’s displayed; turning notifications off there does not prevent the notifications from being generated and stored in the database. These days, the database is protected by TCC, but the information is still written to disk. For more privacy, apps should have their own settings that prevent the information from being sent to the system in the first place.
Signal’s settings include an option that prevents the actual message content from being previewed in notifications. However, it appears the defendant did not have that setting enabled, which, in turn, seemingly allowed the system to store the content in the database.
AuRevoir (French for ‘goodbye’) is a simple utility to view and remove notifications from Apple’s Notification Database.
Previously:
- Sequoia Finally Addresses Notification Center Privacy
- TextExpander 5 and Notification Center Privacy
