y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…?

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 09:40:34 GMT

buherator@infosec.place — Thu, 16 Apr 2026 09:40:34 GMT

@david_chisnall @itgrrl @scottymace User story: I explicitly looked for and manually enabled the history on Android bc there were notifs that contained important info but I sometimes removed them from the screen by accident and I couldn't find them in the corresponding app (can't tell the exact app/feature).

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 09:33:55 GMT

david_chisnall@infosec.exchange — Thu, 16 Apr 2026 09:33:55 GMT

@itgrrl @buherator @scottymace

Do you have any idea why they bother persisting more than the notifications currently on the screen? It's weird to collect data that you have no use for. Does it train on-device text-prediction models or something?

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 09:02:49 GMT

itgrrl@infosec.exchange — Thu, 16 Apr 2026 09:02:49 GMT

@david_chisnall @scottymace I’ve updated my toot to use a more precise descriptor

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 08:31:30 GMT

itgrrl@infosec.exchange — Thu, 16 Apr 2026 08:31:30 GMT

@buherator @david_chisnall @scottymace AFAIK on iOS there’s no on-device way to search or view the contents any of the internal system databases without jailbreaking (which has become increasingly difficult to do), but there are digital forensics tools (both commercial & open source) that can enumerate them – this is the sort of tool that the FBI used

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 07:31:34 GMT

buherator@infosec.place — Thu, 16 Apr 2026 07:31:34 GMT

@david_chisnall @itgrrl @scottymace "Is there some way of searching them?" I can only speak of Android: here definitely is a system-level option keep a browsable notification history.

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 07:26:41 GMT

david_chisnall@infosec.exchange — Thu, 16 Apr 2026 07:26:41 GMT

@itgrrl @scottymace

Nearly:

it was the amount of detail in the content of push notifications

It wasn’t the information in the push notification. This goes via Apple’s server and is a one-bit signal that says ‘there may be some messages waiting for you, you should go and check’ (may be, because Signal sends some spurious push notifications to make traffic correlations harder).

The Signal app then gets the message and asks the local OS notification mechanism to display the notification. If the permissions are set up to display Signal notifications on the lock screen, these are also persisted in a database on iOS (I have no idea why. Is there some way of searching them?). If you’re worried about people with physical access to your device reading your messages, I would suggest that turning off the thing that shows them on the lock screen is probably a good idea.

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 04:03:07 GMT

scottymace@infosec.exchange — Thu, 16 Apr 2026 04:03:07 GMT

@itgrrl Totally agree.

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 04:01:57 GMT

itgrrl@infosec.exchange — Thu, 16 Apr 2026 04:01:57 GMT

@scottymace Signal’s database #encryption wasn’t the problem in this instance, it was the amount of detail in the content of push notifications (and it’s persistence) in the iOS ̶A̶P̶N̶ ̶ notifications database

choosing to use a #Signal fork like #Molly instead of the official client brings its own set of risks and trade-offs to be weighed in the context of your specific threat model

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 03:48:30 GMT

scottymace@infosec.exchange — Thu, 16 Apr 2026 03:48:30 GMT

@itgrrl Yes, it does have android implications.
1. Open Signal.
2. Tap your profile icon.
3. Tap Notifications.
4. Under Show, select “No name or message”.
If using Molly, users can additionally enable database encryption at rest, which encrypts Signal’s local database with a separate passphrase — adding protection against on-device forensic extraction of the app’s own data.

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 03:42:24 GMT

itgrrl@infosec.exchange — Thu, 16 Apr 2026 03:42:24 GMT

@scottymace I don’t know the details of push notification storage on Android, but limiting the content of push notifications for any privacy-focused apps is a sensible precaution regardless of the app or the platform you use it on (some people run Signal on desktop OSes too)

Reply to y’all have your #Signal notifications set to “Name Only” or “No Name or Content”, right…? on Thu, 16 Apr 2026 03:38:21 GMT

scottymace@infosec.exchange — Thu, 16 Apr 2026 03:38:21 GMT

@itgrrl I see no mention of the implications for Android devices. Does the same issue exist?