Settings > Notifications > Notification Content > Show: "Name Only" or "No Name or Content"
I've had this enabled to prevent sensitive messages from appearing in full whilst showing someone something on my phone, but I guess this is an added benefit as well.
Yes. And technically, from a privacy perspective, it's even worse than that. What's additionally happening is they're still 'syncing' back to Apple servers via APNS (and to Alphabet servers via Firebase on Android)—even with notifications completely disabled, that's correct.
If the app generates them, the OS receives them. That's why the Signal app offers this setting.
>it's even worse than that. What's additionally happening is they're still 'syncing' back to Apple servers via APNS (and to Alphabet servers via Firebase on Android)—even with notifications completely disabled, that's correct.
Source? I don't think either OS implements notification syncing between devices, it's only one way, and as others have mentioned, the actually push notification doesn't contain any message content, only an instruction for signal to fetch and decrypt the message.
This sounds correct. When I implemented push notifications for an iPhone application, I remainder needing to obtain a store a separate token for each device a user has, and subscribing to a feed of revoked delivery tokens. Seemed like an interesting design intended to facilitate E2E encryption for push notifications.
With notifications disabled APNS push notifications fail for the sending app backend. The device id is rendered invalid if push notifications are disabled at any point. Backends are supposed to handle this and quit sending messages.
Signal has this setting to tell the backend how much information to put into the push message. It can tell the backend to send a simple notification saying “new message” and not send information through APNS or enable it.
I am willing to bet Signal has a notification extension to handle edge cases where there is lag in settings to scrub the message metadata before it dings a screen alert.
However, if this is important to you then you want Signal to stop telling Android to make the notifications. If it doesn't exist nobody will accidentally make it available.
Deleting that history is good to know about after the fact, but preferably lets just not create the problem.
It's a mode of the phone that is supposed to prevent cyber attacks, more so than "normal mode" I suppose, since it's supposed to limit features in the name of security. This seems like a variant of such attack, so seems like it should protect against it
There is a documented list of things that Lockdown Mode affects [1], this is not one of the advertised ones. There are a bunch of other (undocumented) things it affects (some of which are bugs :/), but I don't believe it has any affect on notification storage.
Mostly it seems the documentation is vague. Is there anything clearer than this?
> Web browsing: Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
"Signal’s settings include an option that prevents the actual message content from being previewed in notifications. However, it appears the defendant did not have that setting enabled, which, in turn, seemingly allowed the system to store the content in the database."
Not sure if it's exactly the same, but I had to add a When notification arrives with <message>, do <action> event trigger in my Crank macOS app (https://lowtechguys.com/crank) so I can show you how to do it on macOS:
HOURS=6
EPOCH_DIFF=978307200
SINCE=$(echo "$(date +%s) - $EPOCH_DIFF - $HOURS * 3600" | bc)
sqlite3 ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db \
"SELECT r.delivered_date, COALESCE(a.identifier, 'unknown'), hex(r.data)
FROM record r
LEFT JOIN app a ON r.app_id = a.app_id
WHERE r.delivered_date > $SINCE
ORDER BY r.delivered_date ASC;" \
| while IFS='|' read -r cfdate bundle hexdata; do
date -r $(echo "$cfdate + $EPOCH_DIFF" | bc | cut -d. -f1) '+%Y-%m-%d %H:%M:%S'
echo " app: $bundle"
echo "$hexdata" | xxd -r -p > /tmp/notif.plist
plutil -p /tmp/notif.plist 2>/dev/null \
| grep -E '"(titl|title|subt|subtitle|body|message)"' \
| sed 's/^ */ /'
echo "---"
done
Basically, notifications are in an sqlite db at ~/Library/Group Containers/group.com.apple.usernoted/db2/db and are stored as plist blobs.
In recent years, filesystem paths for system services have started to converge for both macOS and iOS so I'm thinking with jailbreak you could get read access to that database and get the same data out of it.
On android there are apps that let you see the history - i use NotiStar occasionally to see if i unwittingly dismissed important notifications. And i believe there are apps/settings that help you clear the history from the device.
But this is a reminder that these centralized notification infrastructure (FCM and APNs) store notification content (if the app is told to send content in it - signal with option enabled wouldn't send content) even if we clear local history these middleman still hold it
On android its quite easy. There is a page of a protocol address that has all notifications show. I used to have a seizure to it. It has been years since I was on android.
But it was really useful each time I did not see a notification in time.
Larping about security and complaining about companies responding to court orders only gets you so far. Its way more useful to look at what actually happens in reality.
I wonder why Apple doesn't 'just' delete the notification data associated with the app from the internal database when the user deletes the app? It seems like asking for problems to just keep old notification content around forever.
If the "database" works like most other databases (eg. postgres or sqlite), deleting a row doesn't immediately cause the data to be wiped from disk, for performance reasons. Then as others mentioned you have filesystem/SSD logic that does something similar on top of that.
If it never hits flash that might work, but if it's in flash storage then the block may not be erased by the time its dumped.
I'm not sure precisely how the NAND controller responds to requests for raw data from blocks with "deleted" data. And if this would require decapping the flash.
Some flash will happily let you see the data and delay erasing it.
Generally flash is non deterministic about when blocks even those with entirely stale data are erased . It might be years before the block is reused due to wear leveling algorithms and it might retain data that entire time.
Here's hoping the controller for phones which hold sensitive data are more active
It's one of those problems where as soon as someone notices, it's crazy that no one noticed. I can't imagine this not being overhauled going forward. It's just a bad way to operate and now it's news.
On Android, when I use WhatsApp and have notifications for groups turned off, I can still see that they arrive briefly and then get removed (the icon top left vanishes). I wonder often, if this is a way to push all group message content into an unencrypted data trace as well - for the same use case.
If the notification has the data, then yes. It's trivial to create an app that listens to notifications; Samsung even has one themselves called NotiStar that replicates the notification history feature that Android normally has.
“Messages were recovered from Sharp’s phone through Apple’s internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).”
ie the messages recovered were 1. incoming 2. stored by the OS after decryption
iOS stores the previously displayed notifications in an internal database, which was used to access the data. It’s outside of Signal’s control, they recommend disabling showing notification content in their settings to prevent this attack vector
They do control the content on the notification. It's a bit odd to put the sensitive text in the notification only to recommend disabling it at the system level.
You can choose what to show in the notification and there is an option to include the message, so I'm guessing that allowed some unencrypted incoming messages to be read.
Sibling comment explains. The notification does arrive encrypted and is decrypted by an app extension (by Signal), however, if the message preview is shown, it is stored unencrypted by iOS. It is that storage that is accessed.
I thought Signal didn’t show message previews by default and you had to go in and enable it? I’ve never had message previews in my Signal and I don’t remember changing anything. Maybe when they introduced the feature, you could pick but they strongly suggested it not showing?
The opposite, actually. Signal endlessly nags you to turn on notifications, and when you turn them on, previews and content are shown by default. You cannot opt out of the nags.
There needs to be a bit more "group chat" control in Signal messages, wherein you could enforce certain settings for certain chats regardless of the phone settings. You could have group chats that would enforce not showing more information in the notifications, while others would still allow it.
I think it fits in pretty well with Signal. As it stands, a group chat can control when a message is automatically deleted for everyone, so everyone can rely on that being a shared setting. That's an intentional design decision. There's no individual opt-out.
An individual can disable name or content in notifications in iOS, or set "mute messages" for a chat to prevent notifications from appearing for that specific chat, but there's nothing that gives group members any assurance that other group members are doing that.
But it would be pretty well in line with the "I trust my contact with this communication, but only if they're not systematically misled to copy it to readily exploitable insecure storage" line of thinking.
Since the purposes of the program are pretty heavy on private communication, I'm inclined to think that takes precedence here, especially considering the consequences for dropping default message previews versus adding default reveal of supposedly private information.
The article you're commenting on is about people who obviously would have wanted this disabled, but didn't have it disabled, presumably because they didn't know about this issue.
Signal does not send any sensitive information in push notifications sent via APNs [0]. This story concerns the local OS cache of push notifications, which are triggered after E2E decryption has occurred.
Right. It's purely a protection against MitM snooping. The app has to have the messages in plaintext to display to you via whatever mechanism the OS uses. Seems obvious, but also not, at the same time.
I've found other ways Signal can leak information, even with disappearing messages. It's not the total install-and-be-done privacy screen that some people think it is, and requires a little effort at the user end to fill in a few gaps.
Good. The moment they add it, all kinds of apps will start to abuse it, for "sekhurity" (read: engagement) reasons. See e.g. all the apps that now disallow taking screenshots, for no legitimate reason.
Personally I'd be in favor of a hard app store policy, that if an app notifies you about something, all the importantdetails (like full message text) must be included - specifically to allow the user to view the important information without having to open the app itself.
thank god whatsapp doesn't do that either. or telegram. or allo back in the day, or every single mobile first messaging app
The only one I can think of that doesn't require a mobile login is iMessage, because it's not a chat app, it's lock in and data theft disguised as software
Settings > Notifications > Notification Content > Show: "Name Only" or "No Name or Content"
I've had this enabled to prevent sensitive messages from appearing in full whilst showing someone something on my phone, but I guess this is an added benefit as well.
Just to clarify, this is within the Signal app settings—not the OS (iOS or Android) system settings.
Critical distinction, as merely changing OS notification settings will simply prevent notification content from being displayed on-screen.
Wait so if I do iOS setting notifications > never show previews it’s still caching them in the background? Unencrypted?
Yes. And technically, from a privacy perspective, it's even worse than that. What's additionally happening is they're still 'syncing' back to Apple servers via APNS (and to Alphabet servers via Firebase on Android)—even with notifications completely disabled, that's correct.
If the app generates them, the OS receives them. That's why the Signal app offers this setting.
>it's even worse than that. What's additionally happening is they're still 'syncing' back to Apple servers via APNS (and to Alphabet servers via Firebase on Android)—even with notifications completely disabled, that's correct.
Source? I don't think either OS implements notification syncing between devices, it's only one way, and as others have mentioned, the actually push notification doesn't contain any message content, only an instruction for signal to fetch and decrypt the message.
This sounds correct. When I implemented push notifications for an iPhone application, I remainder needing to obtain a store a separate token for each device a user has, and subscribing to a feed of revoked delivery tokens. Seemed like an interesting design intended to facilitate E2E encryption for push notifications.
With notifications disabled APNS push notifications fail for the sending app backend. The device id is rendered invalid if push notifications are disabled at any point. Backends are supposed to handle this and quit sending messages.
Signal has this setting to tell the backend how much information to put into the push message. It can tell the backend to send a simple notification saying “new message” and not send information through APNS or enable it.
I am willing to bet Signal has a notification extension to handle edge cases where there is lag in settings to scrub the message metadata before it dings a screen alert.
yes, since apple doesn't control the content of the pushes it is sent by application backends. that can only be controlled within each app
Signal should switch the default to being less verbose.
The default should be "No name or content".
users should switch to simpleX
Fwiw, in my Signal app on Android this setting is in
Settings > Notifications > Messages > Show
My Samsung also keeps a history of notification content. Under Settings->Notifications ->Advanced -> Notification History
However, if this is important to you then you want Signal to stop telling Android to make the notifications. If it doesn't exist nobody will accidentally make it available.
Deleting that history is good to know about after the fact, but preferably lets just not create the problem.
Disable Apple Intelligence summaries for sensitive app notifications too.
Given the quality of the summaries, you might want to keep them just for plausible deniability </s>
I guess enabling Lockdown mode might avoid this particular issue too, together with a bunch of other stuff?
Why would lockdown mode prevent this? I have lockdown mode on but that doesn't automatically make my notifications private.
Lockdown mode would prevent access to the data in theory.
But most likely (pure speculation mind you), this was a case of someone handing over the phone for review and where cooperating.
It might have been that they deleted signal some time ago, or even deleted signal and then handed over the phone.
It's notable that the data wasn't recovered from signals storage (was the data securely erased or that kind of recovery not attempted?).
It's a mode of the phone that is supposed to prevent cyber attacks, more so than "normal mode" I suppose, since it's supposed to limit features in the name of security. This seems like a variant of such attack, so seems like it should protect against it
There is a documented list of things that Lockdown Mode affects [1], this is not one of the advertised ones. There are a bunch of other (undocumented) things it affects (some of which are bugs :/), but I don't believe it has any affect on notification storage.
[1] https://support.apple.com/en-us/105120
Mostly it seems the documentation is vague. Is there anything clearer than this?
> Web browsing: Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
Maybe it should.
So this is where we find out the one end of e2e is the phone and not the app.
Semi-related, in whatsapp reading the text in the notification doesn't mark the message as read, so the OS is kinda mitm here.
Signal creates the notification, does it not? That's like claiming `echo "my_private_data" | notify-send` is insecure.
If piping encrypted content resulted in a plaintext notification then you'd have a right to be concerned.
First, a critical setting for Signal users:
"Signal’s settings include an option that prevents the actual message content from being previewed in notifications. However, it appears the defendant did not have that setting enabled, which, in turn, seemingly allowed the system to store the content in the database."
Second, how can I see this notification history?
Not sure if it's exactly the same, but I had to add a When notification arrives with <message>, do <action> event trigger in my Crank macOS app (https://lowtechguys.com/crank) so I can show you how to do it on macOS:
Basically, notifications are in an sqlite db at ~/Library/Group Containers/group.com.apple.usernoted/db2/db and are stored as plist blobs.In recent years, filesystem paths for system services have started to converge for both macOS and iOS so I'm thinking with jailbreak you could get read access to that database and get the same data out of it.
On android there are apps that let you see the history - i use NotiStar occasionally to see if i unwittingly dismissed important notifications. And i believe there are apps/settings that help you clear the history from the device.
But this is a reminder that these centralized notification infrastructure (FCM and APNs) store notification content (if the app is told to send content in it - signal with option enabled wouldn't send content) even if we clear local history these middleman still hold it
On Lineage Android, i see: Settings / Notifications / Notification History.
If you drop a settings widget on your home screen, it will let you choose a specific area, including notifications.
I don't know if the output is the complete database.
On android its quite easy. There is a page of a protocol address that has all notifications show. I used to have a seizure to it. It has been years since I was on android.
But it was really useful each time I did not see a notification in time.
> I used to have a seizure to it.
Hopefully, you meant to write "shortcut"...
On a Pixel, I can see some history by going to
Android > Settings > Notifications > Manage > Notification History
Yes, mine (the history option) is turned off. Nice opt in implementation.
> testimony in a recent trial
Court cases are the real way to audit security.
Larping about security and complaining about companies responding to court orders only gets you so far. Its way more useful to look at what actually happens in reality.
The recent Trivy / LiteLLM mess was also a security thing, and seems rather different.
Original article: FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database[0]
0. https://www.404media.co/fbi-extracts-suspects-deleted-signal...
That's unfortunately less informative if you aren't already one of their subscribers.
https://archive.is/bSQhD You can view their link here.
I wonder why Apple doesn't 'just' delete the notification data associated with the app from the internal database when the user deletes the app? It seems like asking for problems to just keep old notification content around forever.
If the "database" works like most other databases (eg. postgres or sqlite), deleting a row doesn't immediately cause the data to be wiped from disk, for performance reasons. Then as others mentioned you have filesystem/SSD logic that does something similar on top of that.
If it never hits flash that might work, but if it's in flash storage then the block may not be erased by the time its dumped.
I'm not sure precisely how the NAND controller responds to requests for raw data from blocks with "deleted" data. And if this would require decapping the flash.
Some flash will happily let you see the data and delay erasing it.
Generally flash is non deterministic about when blocks even those with entirely stale data are erased . It might be years before the block is reused due to wear leveling algorithms and it might retain data that entire time.
Here's hoping the controller for phones which hold sensitive data are more active
It's one of those problems where as soon as someone notices, it's crazy that no one noticed. I can't imagine this not being overhauled going forward. It's just a bad way to operate and now it's news.
On Android, when I use WhatsApp and have notifications for groups turned off, I can still see that they arrive briefly and then get removed (the icon top left vanishes). I wonder often, if this is a way to push all group message content into an unencrypted data trace as well - for the same use case.
If the notification has the data, then yes. It's trivial to create an app that listens to notifications; Samsung even has one themselves called NotiStar that replicates the notification history feature that Android normally has.
As an aside, I decrypted an encrypted iPhone backup using a tool from GitHub because I wanted easy access to my Voice Memo recordings.
Photos I had long deleted were still in the backup! It's quite surprising just how much is being stored by the phone.
What did you use?
Aren’t notifications supposed to be encrypted for Signal?
They are;
“Messages were recovered from Sharp’s phone through Apple’s internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).”
ie the messages recovered were 1. incoming 2. stored by the OS after decryption
i also was spooked by the headline :p
iOS stores the previously displayed notifications in an internal database, which was used to access the data. It’s outside of Signal’s control, they recommend disabling showing notification content in their settings to prevent this attack vector
They do control the content on the notification. It's a bit odd to put the sensitive text in the notification only to recommend disabling it at the system level.
No. They recommended disabling it at the app level. Only the Signal app can control whether the message contents are included in the notifications.
They do not. They send encrypted notifications. It’s the OS that stores them unencrypted. It’s the OS at fault here IMHO.
i think they're replying to the "recommendation" part -- if it was recommended, why isn't it the safe default?
i haven't actually seen signal or anyone adjacent recommend that previously though, idk where that claim came from
You can choose what to show in the notification and there is an option to include the message, so I'm guessing that allowed some unencrypted incoming messages to be read.
Sibling comment explains. The notification does arrive encrypted and is decrypted by an app extension (by Signal), however, if the message preview is shown, it is stored unencrypted by iOS. It is that storage that is accessed.
it seems iOS will drop previews into an unencrypted section. which, Is how I expected iOS notification previews to work without unlocking the phone
This kind of vulnerability is not tied to Signal but all apps which send notification.
I thought Signal didn’t show message previews by default and you had to go in and enable it? I’ve never had message previews in my Signal and I don’t remember changing anything. Maybe when they introduced the feature, you could pick but they strongly suggested it not showing?
The opposite, actually. Signal endlessly nags you to turn on notifications, and when you turn them on, previews and content are shown by default. You cannot opt out of the nags.
Also discussed yesterday, in https://news.ycombinator.com/item?id=47703573
There needs to be a bit more "group chat" control in Signal messages, wherein you could enforce certain settings for certain chats regardless of the phone settings. You could have group chats that would enforce not showing more information in the notifications, while others would still allow it.
This feels like it would run against the “I bought my device, I should control how it behaves” line of thinking.
I think it fits in pretty well with Signal. As it stands, a group chat can control when a message is automatically deleted for everyone, so everyone can rely on that being a shared setting. That's an intentional design decision. There's no individual opt-out.
An individual can disable name or content in notifications in iOS, or set "mute messages" for a chat to prevent notifications from appearing for that specific chat, but there's nothing that gives group members any assurance that other group members are doing that.
But it would be pretty well in line with the "I trust my contact with this communication, but only if they're not systematically misled to copy it to readily exploitable insecure storage" line of thinking.
Since the purposes of the program are pretty heavy on private communication, I'm inclined to think that takes precedence here, especially considering the consequences for dropping default message previews versus adding default reveal of supposedly private information.
smartphones in general runs against the “I bought my device, I should control how it behaves” line of thinking
People who NEED to hide their notifications from iOS have this already disabled.
They rest who "evaluate their threat models" can practice Spy-life-gymnastics by disabling it from Signal.
What a goofy comment.
The article you're commenting on is about people who obviously would have wanted this disabled, but didn't have it disabled, presumably because they didn't know about this issue.
Victim blaming?
Probably stupid question: why won't they e2e-encrypt push notifications too? The vector is obvious and has been open since forever.
Signal does not send any sensitive information in push notifications sent via APNs [0]. This story concerns the local OS cache of push notifications, which are triggered after E2E decryption has occurred.
[0] https://mastodon.world/@Mer__edith/111563865413484025
The "e" in e2e encryption is a computing device, not the device's user's brain.
Reminder that no end-to-end encryption arrangement can do anything before encryption, or after decryption, at the endpoints.
Right. It's purely a protection against MitM snooping. The app has to have the messages in plaintext to display to you via whatever mechanism the OS uses. Seems obvious, but also not, at the same time.
I've found other ways Signal can leak information, even with disappearing messages. It's not the total install-and-be-done privacy screen that some people think it is, and requires a little effort at the user end to fill in a few gaps.
Um. Android has notification history also and I see no similar ability to hide notification content from the system ...
Good. The moment they add it, all kinds of apps will start to abuse it, for "sekhurity" (read: engagement) reasons. See e.g. all the apps that now disallow taking screenshots, for no legitimate reason.
Personally I'd be in favor of a hard app store policy, that if an app notifies you about something, all the importantdetails (like full message text) must be included - specifically to allow the user to view the important information without having to open the app itself.
signal is security theater, and a very bad user experience
Prove it.
> very bad user experience
"To use the Signal desktop app, Signal must first be installed on your phone."
thank god whatsapp doesn't do that either. or telegram. or allo back in the day, or every single mobile first messaging app
The only one I can think of that doesn't require a mobile login is iMessage, because it's not a chat app, it's lock in and data theft disguised as software