Skip to content
AppVault
en

LANGUAGE / 9

FILE 09 / FILE SHREDDER

Delete that actually removes the bytes — not just the filename.

A standard delete on any modern filesystem unlinks the file from the directory and marks its storage as available, but leaves the bytes themselves on disk until something else writes over them. AppVault’s File Shredder overwrites the encrypted file blob three times before unlinking, in the style of the U.S. DoD 5220.22-M standard for media sanitization. This page explains when that actually matters.

UPDATED · 2026-05-16 · REVIEWED BY APPVAULT

Why "delete" usually does not delete

The mental model most people have of deletion is that the file is physically erased — the bytes scrubbed off the disk. The reality on every modern filesystem is closer to a library reshelving operation. The directory entry that says "this filename lives at these storage blocks" gets removed. The blocks themselves get marked as available for new writes. The original bytes stay there, in place, until some future write happens to land on those exact blocks.

How long that takes depends on how much free storage you have and how much data you write afterwards. On an iPhone with 80% of its storage free, the original bytes of a "deleted" file can persist for months. Forensic tools that read raw storage — bypassing the filesystem layer — recover those bytes in full.

The conventional fix is to overwrite the bytes before unlinking. Write random data over the original. Write again. Write a third time. After the third pass, even if a forensic tool reads the raw storage blocks, what it finds is meaningless noise.

How AppVault’s shredder works

When you choose Shred on a file inside AppVault, three operations happen in sequence:

  1. The encrypted file blob in AppVault’s sandboxed container is opened for write. A buffer the same size as the blob is filled with cryptographically random bytes from SecRandomCopyBytes and written over the existing data. The write is synced to storage before the next pass begins.
  2. The same buffer is XORed with 0xFF (the bitwise complement of the random pass) and written again. This is the second pass.
  3. A fresh random buffer is generated and written as the third pass. The file handle is closed and the now-overwritten blob is unlinked from the filesystem.

The catalog inside the vault is updated to remove the file’s entry, and the catalog is re-encrypted as a whole. After the operation completes, the vault behaves exactly as if the file had never been imported in the first place.

The honest caveat about iPhone flash

Three-pass overwrite was designed for magnetic media — spinning hard drives where the relationship between a logical block and a physical location on the platter is one-to-one. Modern flash storage breaks that assumption. The flash controller maintains a logical-to-physical mapping that it adjusts to spread write wear evenly across the chip. When AppVault writes "overwrite pass one" to logical block N, the controller is free to send that write to a different physical page than the one block N previously occupied — leaving the original physical page intact, marked as "to be erased eventually".

This means file-level shredding on flash is structurally less complete than file-level shredding on a hard drive. It is the honest answer that every iOS file shredder’s documentation should include, and most do not.

Two facts make this caveat less alarming than it sounds.

First, every file inside AppVault is already encrypted with AES-256-GCM before it is written to flash. A wear-leveled remnant — even one that survives the shred operation — is ciphertext that requires the vault key to make sense. The vault key is derived from your pattern and bound to the Secure Enclave; the remnant ciphertext is decorative without it.

Second, iOS itself applies device-wide encryption to flash storage using an effaceable-storage scheme. When you factory-reset an iPhone or use the "Erase All Content and Settings" option, iOS does not overwrite every page of flash — it discards the device-wide encryption key, which makes every byte on the device cryptographically random in one operation. This is the canonical secure-wipe operation for iPhone. The File Shredder is a useful per-file complement for live devices; the factory reset is the canonical operation before selling.

When to actually use it

Three reasonable use cases for the shredder.

Before selling, donating, or trading in

Run the shredder over any vault file with above-average exposure if recovered — sensitive documents, ID scans, medical photos, signed contracts you no longer need. Then perform iOS’s "Erase All Content and Settings" to discard the device-wide encryption key. The combination is as close to forensically complete as iPhone storage gets.

After a specific document is no longer needed

A one-off — a passport photo for a single visa application, a screenshot of a 2FA recovery code you have now stored elsewhere — gets the shredder rather than the regular delete. The encrypted blob disappears immediately instead of sitting in Trash for thirty days.

When the threat model includes targeted physical forensics

If you are a working journalist, a lawyer with privileged photo evidence, or a medical professional documenting case material, the cost of leaving recoverable ciphertext on the device is small but non-zero. The shredder reduces that cost to as close to zero as on-device flash storage permits.

What the shredder is not

Not a replacement for the iOS factory reset. Not a defense against an adversary who has the vault key. Not undoable. Not faster than a regular delete (each pass writes the full file size). Not free in storage I/O terms (a 50 MB video takes a few seconds to triple-write).

It is, simply, the right operation when "delete this so thoroughly that I do not need to think about it again" is the answer you actually want.

SHREDDER QUESTIONS

Eight things people ask before they tap Shred.

  1. 01 What is a file shredder?
    A file shredder is a delete operation that overwrites the storage occupied by the file with random or zero bytes before unlinking the file from the filesystem. The goal is to make the file unrecoverable by forensic tools that would otherwise be able to read the unlinked-but-not-overwritten bytes. AppVault’s File Shredder performs three overwrite passes per file before unlinking.
  2. 02 Why does normal "delete" not actually delete?
    When you delete a file on a filesystem, what usually happens is that the file’s entry in the directory is removed and the storage blocks it occupied are marked as available. The bytes themselves stay on disk until something else writes over them. On a phone with plenty of free storage, those bytes can persist for months. A forensic tool that scans the raw storage can recover them in full.
  3. 03 Does the shredder work on iPhone flash storage?
    Yes, with one honest caveat. The shredder overwrites the encrypted blob stored inside AppVault’s sandboxed container. Because every file in AppVault is already encrypted at rest, the underlying flash storage holds ciphertext — and even unrecovered ciphertext is useless without the vault key. The shredder’s overwrite passes add a second layer for users whose threat model includes specifically targeted flash forensics.
  4. 04 What about flash wear-leveling — does it defeat the shredder?
    Modern flash storage uses wear-leveling controllers that map logical blocks to physical pages, sometimes silently writing the new "overwrite" data to a different physical page than the original. This is a real limit on file-level shredding for any iOS app. Two facts mitigate it: first, the original bytes were already encrypted ciphertext, so a wear-leveled remnant is unreadable without the key; second, Apple’s iOS uses effaceable-storage and device-wide encryption that makes a full device wipe trivially complete. The shredder is a useful second layer for files specifically; the canonical wipe-before-resale operation is iOS’s own factory reset.
  5. 05 How many overwrite passes does AppVault use, and why three?
    AppVault performs three overwrite passes: first pass with random bytes, second pass with the complement, third pass with random bytes again. Three passes is the threshold described in the U.S. DoD 5220.22-M standard for unclassified-but-sensitive media sanitization. More passes provide diminishing returns; one pass is sufficient against any practical software-only recovery; three is sufficient against most physical forensic recovery on legacy magnetic media. On flash, the limiting factor is the wear-leveling layer, not the pass count.
  6. 06 When should I shred versus just delete?
    Shred when you are about to sell, donate, or hand off the iPhone, or when the specific file has higher-than-usual exposure if recovered (a one-off document with someone else’s personal information, a sensitive medical image, a contract you no longer need). Regular delete is fine for the daily-life file-management operation, because every file in AppVault was already encrypted before deletion.
  7. 07 Is there an undo for shred?
    No. By design. The shredder is the operation you use when you are absolutely sure. A standard delete from inside AppVault moves the file to a 30-day Trash where you can recover it; the shredder skips Trash entirely and overwrites immediately. The shredder prompt asks you to confirm twice.
  8. 08 Does shredding the vault delete iCloud backups too?
    If you have Encrypted iCloud Backup enabled, the shredder’s deletions propagate to the backup on the next sync — the encrypted blob in iCloud is removed and its catalog entry is rewritten. The propagation typically completes within a minute on Wi-Fi.

RELATED DOSSIERS

Keep reading.

6 ENTRIES

GET STARTED

Seal the vault.

Free to download. The first vault is free, forever. Upgrade only when you outgrow it.

Open AppVault on iPhone