IdeaWell

Project ideas from Hacker News discussions.

FBI used iPhone notification data to retrieve deleted Signal messages

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

Top Themes from the Hacker News discussion

1️⃣ OSes keep notification previews unencrypted

“iOS stores the previously displayed notifications in an internal database, which was used to access the data. It’s outside of Signal’s control, they recommend disabling showing notification content in their settings to prevent this attack vector.” – shantara

The notification database persists after the app is removed, allowing forensic extraction of message text.

2️⃣ Signal’s default notification settings are insecure

“The default setting is actually not the insecure one…” – nickburns (linking a screenshot)
“The Show Previews setting is “When Unlocked (Default)”. “Name only strikes me as a fairer compromise…” – JumpCrisscross

Most users never change the default, so the app shows full message bodies on the lock screen by default.

3️⃣ Push notifications are just a “wake‑up” ping; the app decrypts locally but the OS stores the plaintext

“Signal’s FCM and APN notifications are empty and just tell the app to wake up, fetch encrypted messages, decrypt them, and then generate the notification ourselves locally.” – greysonp (Signal developer)

Even though the payload is encrypted, iOS/Android store the decrypted preview in a shared database.

4️⃣ Community frustration over security‑vs‑usability defaults

“Security is not a binary, but a spectrum… the vendor selects the best configuration for its average user, which is not the most secure configuration.” – amazingman

Many commenters argue the defaults should be the most privacy‑preserving and that users should not have to hunt through settings to stay secure.

These four themes capture the most‑repeated concerns and arguments in the thread.

🚀 Project Ideas

Signal PrivacyShield

Summary

  • Provides a one‑click “Privacy Mode” that automatically disables message previews, blocks OS‑level storage of notification content, and wipes stored entries on app exit.
  • Core value: lets users enjoy Signal’s security without manually hunting through iOS/Android settings.

Details

Key Value
Target Audience Signal users who want default‑secure notifications, especially non‑technical or privacy‑conscious folks.
Core Feature Automatic activation of “Name‑Only” preview and on‑demand purge of notification database entries.
Tech Stack iOS app extension + Android foreground service, using Swift/Kotlin, SQLite access via ContentResolver, Secure Enclave for keys.
Difficulty Medium
Monetization Revenue-ready: $2.99/mo

Notes

  • HN commenters repeatedly asked for “defaults that are secure” and complained about accidental previews; this tool answers that directly.
  • Could spark discussion on how messaging apps can enforce stricter notification hygiene out‑of‑the‑box.

Notification Content Sanitizer

Summary

  • Scans and clears lingering notification data from the system store of any installed app, eliminating plaintext copies left behind after deletion or dismissal.
  • Core value: Restores user control over residual message remnants that can be harvested by forensic tools.

Details

Key Value
Target Audience Power users, forensic‑aware individuals, and privacy‑focused developers who need to guarantee no hidden message caches.
Core Feature One‑click deep‑clean of iOS “knowledgec” and Android “notification_history.db” caches; integrates with macOS/Windows for cross‑device cleanup.
Tech Stack Python + PyObjC for iOS, Java/Kotlin for Android, Electron for desktop UI, uses Secure Wipe APIs.
Difficulty High
Monetization Revenue-ready: $19.99 license

Notes

  • Several HN posts highlighted “deleted Signal messages still recoverable from notification DB”; this tool directly addresses that pain point.
  • Sparks conversation about OS‑level data hygiene policies and could be marketed to journalists, activists, and security researchers.

Secure Push Notify SDK

Summary

  • A lightweight SDK that lets any app send encrypted “wake‑up” push notifications without embedding message text, preventing OS storage of plaintext previews. - Core value: Enables developers to adopt the highest‑privacy notification model while staying battery‑efficient.

Details

Key Value
Target Audience Mobile app developers building secure messaging, alerts, or any service that relies on push notifications.
Core Feature API to generate Firebase/APNs payloads that trigger an encrypted payload decrypted locally by the receiver app only.
Tech Stack Cross‑platform (React Native + native modules), uses OpenPGP.js for payload encryption, provides sample server code (Node).
Difficulty Low
Monetization Hobby

Notes

  • Several HN users noted that “push notifications themselves can leak content” and asked for a cleaner way; this SDK fulfills that need.
  • Opens discussion on standardizing privacy‑preserving push protocols, potentially influencing future OS updates.

Signal‑Ready Privacy Education Hub

Summary

  • Interactive web platform that walks users through secure configuration of messaging apps, highlighting default‑secure settings and one‑click toggles.
  • Core value: Lowers the barrier for average users to adopt privacy‑first defaults without needing technical expertise.

Details

Key Value
Target Audience General consumers of secure messaging apps who feel overwhelmed by settings menus.
Core Feature Guided setup wizard for Signal, WhatsApp, Telegram; auto‑detection of device OS; generates a checklist of recommended privacy toggles.
Tech Stack React + Node.js backend, Firebase Auth, i18n support, embeddable script for in‑app overlay.
Difficulty Medium
Monetization Revenue-ready: $4.99 premium

Notes- Repeated HN calls for “defaults should be secure” and frustration about users not knowing hidden settings; this hub answers that need.

  • Could generate community discussion around education vs. engineering fixes, and offers partnership potential with privacy‑focused NGOs.

Read Later