Security Experts:

Connect with us

Hi, what are you looking for?



Deleted Signal Messages Linger on macOS

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

The issue, discovered by Alec Muffett, impacts even disappearing messages, which remain in the operating system’s Notification Center.

Introduced in OSX 10.10 (Yosemite), Notification Center was designed to help users easily access details about their day and catch up on notifications they might have missed, and Signal uses it to alert on newly arrived messages. If the Signal application is not in the foreground, the notification is by default displayed at the top right corner of the screen.

The creation and posting of notifications to the Notification Center on macOS can be done in various manners, using the NSUserNotification class. After a few seconds, however, the operating system automatically dismisses notifications from the screen, if the user doesn’t interact with them.

The default type of notification is a ‘banner’ that gets dismissed after a few seconds, but developers can also specify the type ‘alert’ (by setting the ‘NSUserNotificationAlertStyle‘ key to ‘alert’), which is an interactive notification.

The Signal app, however, does not specify a ‘NSUserNotificationAlertStyle‘ style, meaning that it uses the default type of notification, a non-interactive ‘banner’ auto-dismissed by the OS.

As Objective-See’s Patrick Wardle points out, even if the application is in focus and the notification isn’t shown to the user, if the application invokes [NSUserNotificationCenter defaultUserNotificationCenter], the notification goes to the Notification Center.

Furthermore, the notification is not removed from the Notification Center, unless the type is ‘alert’ and the user interacts with it, the application explicitly dismisses it, or the user opens the Notification Center and clicks ‘x’.

However, Signal’s disappearing messages may not disappear on macOS even if the application deletes them from the UI.

They may persist in the Notification Center because a message notification is posted there when the app is not in the foreground and because the OS automatically dismisses the notification ‘banner’, but leaves the actual notification (which contains the message contents) in the Notification Center.

What’s more, “Signal does not explicitly delete this notification when it deletes messages from the app UI,” the security researcher explains.

However, if the Signal application is in the foreground, no such notification is posted, meaning that the messages don’t end up in the Notification Center. Furthermore, the messages appear in the Notification Center truncated, because the notifications limit the amount of text being displayed.

Wardle also explains that, Signal messages that end up in the Notification Center can even be recovered after deletion, because notifications are stored on the disk in a SQLite database readable with user (non-root) permissions.

The database contains not only information on the applications that have posted notifications, but also the notifications themselves, along with their contents. Thus, the full text of Signal messages that arrived as notifications can be recovered from there, even if some messages were set to disappear.

“If the application wants the item to be removed from the Notification Center, it must ensure that the alert is dismissed by the user or programmatically! However, it is not clear that this also ‘expunges’ the notifications (and their contents) from the notification database… I’m guessing not! If this is the case, Signal may have to avoid generating notifications (containing the message body) for disappearing messages,” Wardle concludes.

Related: WhatsApp Co-founder Invests $50 Million in Signal

Related: Signal Announces Private Contact Discovery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...