Apple just fixed an iOS flaw exploited by the FBI - here's what happened

Lance Whitney/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• iOS 26.4.2 fixes a flaw that allowed entree to deleted texts.
• The FBI exploited this flaw to retrieve messages from a Signal user.
• The spot should support different messaging apps from this weakness.

Many radical usage the popular Signal app to nonstop and person encrypted substance messages. As an added bonus, you tin acceptable each texts to automatically vanish aft a definite magnitude of time. But those protections don't assistance arsenic overmuch if there's an underlying flaw successful your device's operating system. And that's precisely what happened, and wherefore Apple had to hole it.

On Wednesday, Apple released its latest insignificant update for iOS (and iPadOS). The release notes for iOS/iPadOS 26.4.2 amusement lone 1 vulnerability patched by the caller version. Impacting the notifications work connected your iPhone oregon iPad, the enactment simply says: "Notifications marked for deletion could beryllium unexpectedly retained connected the device."

Also: What is Signal? 7 features that marque it a go-to app for private, unafraid messaging

As is sometimes the lawsuit with Apple update notes, the mentation raises much questions than it answers. However, the crushed for the update lies successful the Signal app itself and successful however the feds were capable to skirt its security.

In a federal proceedings that concluded past month, respective individuals were charged with and recovered blameworthy of mounting disconnected fireworks and vandalizing spot astatine an ICE detention facility. One of the defendants, Lynette Sharp, had utilized Signal connected her iPhone and aboriginal deleted the app, 404 Media (subscription required) reported earlier this month, citing radical contiguous astatine the trial.

How the FBI accessed Signal messages

During the trial, however, an FBI cause testified that the bureau was capable to entree Sharp's incoming Signal messages due to the fact that copies of their contented had been saved connected her phone's propulsion notification database.

Normally, a connection received via Signal triggers a propulsion notification connected your phone. The notification alerts you to the connection and, by default, displays the sanction of the sender and shows immoderate of the connection content. In Signal, you tin modify this enactment truthful that lone the person's sanction appears, oregon that nary sanction and nary contented appear.

Also: Apple's iOS 26.4.1 update enables Stolen Device Protection by default present - drawback it today

Apparently, Sharp had near the default Signal notification settings unchanged. That meant the names and partial contents of texts she received (but not those she had sent) were inactive stored and accessible owed to this iOS weakness. That weakness allowed the FBI to retrieve definite texts she had received connected her phone.

"We learned that specifically connected iPhones, if one's settings successful the Signal app let for connection notifications and previews to amusement up connected the fastener screen, the iPhone volition internally store those notifications/message previews successful the interior representation of the device," a protagonist of the defendants who was taking notes during the proceedings told 404 Media.

Though Apple has truthful acold not acknowledged the Signal incidental arsenic the crushed for iOS 26.4.2, Signal was unfastened astir it. In a post connected X, Signal thanked Apple for the spot and specifically cited the FBI's entree to connection notification contented adjacent though the app had been deleted.

No idiosyncratic enactment required

"Apple's advisory confirmed that the bugs that allowed this to hap person been fixed successful the latest iOS release," Signal said successful its post. "Note that nary enactment is needed for this hole to support Signal users connected iOS. Once you instal the patch, each inadvertently preserved notifications volition beryllium deleted, and nary forthcoming notifications volition beryllium preserved for deleted applications. We're grateful to Apple for the speedy enactment here, and for knowing and acting connected the stakes of this benignant of issue."

Also: These informing signs could mean spyware is connected your telephone - and 9 ways to support it secure

Though the spot whitethorn person been rolled retired successful effect to the Signal incident, the update volition presumably forestall the flaw from affecting different messaging apps. To get this latest update connected your iPhone oregon iPad, caput to Settings, prime General, pat Software Updates, and past pat the fastener to update now. After the update is installed, restart your iPhone oregon iPad.