Signal macOS Desktop App Doesn't Actually Delete Messages When it Should

Security researcher Harry Sintonen disclosed that the macOS desktop Signal app doesn't actually delete messages when they're deleted in the UI of the app.

Sintonen explains that the macOS Signal app uses an SQLcipher database, essentially a SQLite database with encryption, meaning it inherits features from SQLite.

All transactions are written to a log file, which is then merged into the actual database once a certain threshold of pages is reached in the log file.

The default threshold in Signal is 1000 pages, a number that Sintonen says can take potentially several days to reach, depending on how busy your Signal app is.

This means that messages marked deleted in the UI of your Signal app might actually still be there for a long time after you deleted them.

Signal is a security-critical app for many people, and one of the features it boasts is time-sensitive disappearing messages.

The timer for these messages can be set to a very short time, down to a few seconds. This means someone could believe a message was deleted seconds after it was viewed, and it actually isn't deleted until days later.

Worse still, the data on disk can end up in Time Machine backups, leaving messages accessible on disk for even longer.

Sintonen points out that since the message database file is encrypted, the impact of the vulnerability is lessened.

Also, anyone who uses Signal a lot will reach the threshold more quickly, reducing the impact even more.

A restart of the Signal app can also force the messages to be properly deleted in the database.

A proof-of-concept is available on GitHub.

Sintonen discovered the vulnerability all the way back in November of 2025 and promptly reported it to Signal through the proper channels. He received no acknowledgement back. After a 180 wait and confirming the app was still vulnerable, he publicly disclosed the vulnerability.

It's not clear if other Signal apps are affected but he says that likely other Signal desktop apps are affected and Android is also likely affected. However, the iOS app is unaffected.

The Signal desktop apps have come under fire in the past for storing files unencrypted. Representatives at Signal stated that "[t]he database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide."

Eventually, Signal fixed the issue anyway.

Hopefully the complete radio silence for this issue will eventually be met with a fix as well.