A federal terrorism trial in Texas has put a spotlight on a privacy gap that most iPhone owners never think about: the message previews that flash across a locked screen. During proceedings tied to a July 4, 2025, attack on an immigration detention facility, FBI forensic analysts testified that they recovered Signal messages from seized iPhones, not by cracking the app’s encryption, but by pulling data that the operating system had stored after displaying notifications.
The revelation prompted TechRadar to publish an urgent recommendation in early 2026: Signal users should disable lock-screen previews immediately. That advice echoes formal guidance already issued by CERT-EU, the cybersecurity response team for European Union institutions, which treats hiding notification content as a baseline security step rather than an advanced precaution.
As of May 2026, neither Signal nor Apple has publicly addressed how notification data figured into the Texas case or whether recent software updates have closed the gap.
What happened in the Texas case
On July 4, 2025, a group attacked the Prairieland Detention Facility in Alvarado, Texas. According to U.S. Immigration and Customs Enforcement, 10 suspects were charged after using fireworks and vandalism as a diversion while an officer was shot in the neck. Federal prosecutors called it a “planned ambush.” A superseding indictment added terrorism charges, and the case moved to a joint federal trial.
During that trial, FBI forensic examiners testified about extracting Signal content from the suspects’ iPhones. Courtroom reporting by the Associated Press described the testimony but did not reproduce the technical specifics. Based on available accounts, the recovery method targeted message content preserved in iOS notification logs rather than a direct attack on Signal’s end-to-end encryption. That distinction is critical: Signal’s cryptography protects messages while they travel between devices, but once iOS renders a notification preview showing a sender’s name and message text, that data can persist in system logs that forensic tools are designed to harvest.
Why the CERT-EU guidance matters
The Texas case did not surface this risk for the first time. CERT-EU’s published hardening guide for Signal already recommends setting notification content to “No Name or Content,” the most restrictive option the app offers. Because CERT-EU serves EU institutions and operates as a formal cybersecurity body, its recommendation carries institutional weight.
Notably, the EU guidance was not written in response to the Prairieland prosecution. It reflects a broader, pre-existing recognition among security professionals that notification previews are a genuine attack surface on mobile devices. When a U.S. terrorism trial and an independent European security advisory converge on the same vulnerability, the underlying concern deserves serious attention.
What remains uncertain
No publicly available forensic report or court transcript has been released detailing the exact extraction method the FBI used. Independent security researchers have not been able to confirm whether investigators relied on commercial tools like Cellebrite or GrayKey, accessed iOS notification database files directly, or used some combination of approaches.
The devices seized in July 2025 would have been running iOS versions available at that time. Apple has since tightened controls on how apps access certain logs and databases in subsequent releases, but without specific confirmation from Apple or independent testing focused on this scenario, it is unclear whether the same technique would work on devices running iOS 18.x or later. Users should assume notification previews remain a plausible forensic target until proven otherwise.
Defense arguments about the admissibility or reliability of the recovered Signal data have not surfaced in public reporting. That gap makes it hard to know whether the recovered messages were complete, fragmentary, or contested. Some content may have been partially reconstructed from notification remnants, but no public documentation clarifies the point.
As of May 2026, Signal’s developers have not issued a public statement about notification-based data recovery in connection with this case. Apple has not commented on whether its recent iOS updates changed how notification content is stored or retained. Both companies have long promoted their privacy architectures, but neither has spoken to this specific forensic scenario, leaving users without vendor-level assurances.
How to protect yourself right now
The fix takes less than a minute. Open Signal on your iPhone, tap Settings, then Notifications, and change the notification content option to “No Name or Content.” This stops message text and sender names from appearing on the lock screen or in Notification Center. It is the exact configuration CERT-EU recommends in its hardening guide.
For an extra layer of protection, you can also adjust iOS-level notification settings. Go to Settings > Notifications > Signal and set Show Previews to “Never” or “When Unlocked.” This ensures that even if Signal’s own setting is misconfigured, iOS will not display message content on a locked device.
Users who face elevated risk, such as journalists, activists, attorneys, or anyone who might encounter device seizure, should treat notification privacy as part of basic operational security. Disabling previews, enabling Signal’s disappearing messages feature, and turning on the app’s built-in screen security option (which blocks Signal content from appearing in the iOS app switcher) all reduce the amount of readable data available to forensic tools.
What about Android?
The Texas case involved iPhones, and the forensic testimony described iOS-specific data recovery. Android handles notifications through a different architecture, and it is not clear from available reporting whether the same extraction technique applies. Signal offers the same “No Name or Content” notification setting on Android, and security professionals generally recommend enabling it regardless of platform. Until more forensic detail becomes public, Android users should not assume they are immune simply because this particular case centered on Apple devices.
The bigger picture
The Signal notification issue highlights a tension that runs through nearly every encrypted messaging app. End-to-end encryption protects data while it moves between devices, but mobile operating systems create multiple points where decrypted content can leak into logs, caches, and notification databases. Signal cannot fully control what iOS does with a notification once the system has rendered it. Apple cannot prevent an app from including sensitive text in a notification payload if the user has chosen to allow previews. That shared-responsibility model means even privacy-focused tools can be undermined by a default setting most people never revisit.
The Prairieland case and the CERT-EU guidance together make a straightforward point: strong cryptography is necessary but not sufficient. The safest approach for anyone who depends on Signal’s privacy protections is to assume that whatever appears on a locked screen could eventually appear in a forensic report, and to configure the device accordingly.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
