A photo vault built for journalists who carry sensitive material on iPhone

TL;DR

AppVault encrypts photos, notes, and contact lists behind a calculator-icon app using AES-256-GCM with keys wrapped by the iPhone Secure Enclave. For journalists, the threat is not a hacked server — it is a customs officer scrolling your camera roll. AppVault's Calculator Launcher and Decoy Vault exist for that moment.

The threat is physical

Most privacy tools assume the adversary is remote — a hacker, a data broker, a government agency tapping fiber. For journalists covering conflict zones, authoritarian states, or organized crime, the adversary is the person standing in front of you at the checkpoint, holding your phone.

The threat model is simple: an officer takes your device into a back room, or scrolls through it at the border, or confiscates it during a raid. They open Photos. They see the image of the protester whose face you promised to protect. They see the contact list with the source’s real name. They see the GPS-tagged photo of the meeting location.

No end-to-end encrypted messaging app protects what is already on the device. Signal, WhatsApp, and iMessage protect data in transit. AppVault protects data at rest — the photos, notes, and files that live on the phone itself.

Read the full threat model for what AppVault defends against and what it does not.

Why iCloud Photos defeats on-device protection

iCloud Photos syncs your entire camera roll to Apple’s servers. If you use iCloud Photos — and most iPhone users do — then every photo you take is uploaded, often within minutes, over whatever network the phone can reach.

For a journalist, this means:

• The photo you took of the source meeting is on Apple’s servers, protected by Apple’s key hierarchy, not yours.
• A border officer who forces you to unlock the phone can scroll through the synced library. The on-device encryption is irrelevant once the device is unlocked.
• If Apple receives a legal demand, the photos are accessible. Apple publishes a transparency report. The data exists.

AppVault stores files locally, encrypted with keys derived from your pattern and wrapped by the iPhone Secure Enclave. The files never leave the device unless you explicitly enable encrypted iCloud Backup — and even then, they are sealed with a separate per-device backup key before upload. Apple receives only ciphertext.

The zero-knowledge architecture page explains what AppVault cannot see, cannot know, and cannot hand over.

Calculator Launcher: the operational layer

The Calculator Launcher is a fully functional iOS calculator. It performs arithmetic. It has no visible vault interface. The vault is accessed through an opt-in long-press gesture on the equals key.

This is not a trick. The calculator works. A border officer who taps the icon sees a calculator. There is no reason to ask for more.

The design satisfies Apple guideline 4.3 (alternate icons) because the calculator is not a facade — it is a working calculator that also guards a vault. The long-press shortcut is opt-in during setup. If you never enable it, the app is just a calculator.

For the journalist at the checkpoint, the officer sees a calculator. The source photos, the encrypted notes, the contact list — all of it is behind AES-256-GCM, sealed with a key that lives inside the Secure Enclave.

Decoy Vault: when one device serves more than one purpose

The Decoy Vault is a second 5×5 pattern that opens a separate, mathematically independent vault catalog. The two vaults share no keys, no file metadata, and no visible relationship.

The use case is not deception for its own sake. It is operational reality:

• A shared family iPad where a journalist also keeps personal files.
• A device that must be handed to a colleague or fixer who needs access to some material but not all.
• A checkpoint where the officer expects to see something and you need to show compliance without exposing the real catalog.

The decoy vault is not a “fake” vault. It is a real vault with real encryption, real key derivation, and real file protection. It simply contains a different set of files. The officer who opens it sees a functioning photo vault. They do not know another one exists.

Read the Pattern Lock page for the math behind the 5×5 grid and the key derivation that keeps both vaults independent.

Encrypted notes for source contact lists

Photos are not the only leak vector. Notes apps, contact lists, and messaging histories contain the identities of sources, meeting locations, and communication patterns.

AppVault encrypts files — including text notes, PDFs, and images — behind the same AES-256-GCM layer. The catalog itself is encrypted: an attacker with raw access cannot tell how many files exist, what they are named, or when they were created.

A journalist can store:

• Source contact lists with real names and numbers.
• Meeting notes with locations and timestamps.
• Scanned documents, passports, or press credentials.
• Audio recordings of interviews.

All of it is sealed behind the same encryption stack. The cipher is AES-256-GCM with a unique 96-bit nonce per file. Key derivation is PBKDF2-SHA256 at 600,000 iterations with a per-install 128-bit salt. The derived key is wrapped by a key generated inside the Secure Enclave — a key that never leaves the chip.

Primary sources: NIST FIPS 197 for AES, RFC 5116 for AES-GCM, Apple Platform Security for the Secure Enclave, and OWASP Password Storage Cheat Sheet for the iteration count.

What AppVault does not protect against

Honesty about limits is a feature, not a weakness.

AppVault does not protect against a nation-state adversary with a zero-click exploit. Commercial spyware — the kind sold to governments — operates at the operating system level. It can intercept keystrokes, activate the camera, and exfiltrate data before any app-level encryption is applied. AppVault operates at the app layer. It raises the cost of access, but it does not defeat an adversary who already controls the OS.

AppVault does not protect against legal compulsion. If a court orders you to disclose your pattern, AppVault cannot resist. The vault is only as strong as your willingness to comply — or not comply — with the order. The optional recovery passphrase is stored by you, on paper, off-device. AppVault has no copy.

AppVault does not protect against you. If you take a photo of a source and save it to the camera roll instead of the vault, AppVault cannot help. If you enable iCloud Photos and the photo syncs before you move it, the image is already on Apple’s servers. Operational security is a practice, not a product.

The threat model page covers this in detail.

How AppVault compares to the category

Keepsafe is the category leader by install count. The full feature-by-feature breakdown is on the AppVault vs Keepsafe page. The architectural difference: AppVault uses hardware-bound keys, publishes its full cryptography stack with primary-source citations, and makes zero network calls by default.

Vaultaire is the closest competitor in the calculator-vault category. The detailed comparison is on the AppVault vs Vaultaire page.

Most ad-supported photo vault apps run third-party SDKs that send usage telemetry off-device. AppVault runs no third-party SDKs. The privacy nutrition label declares no data collected.

Setup for field use

A journalist preparing for a border crossing or a raid does not have time to configure settings under pressure. AppVault’s setup is designed to be completed once, in a safe location, before the device enters a threat environment.

1. Choose a pattern you can reproduce under stress. The 5×5 grid offers over 700 million possible 4-point patterns. Pick one that is motor-memorized, not intellectually memorized. You will need it when your hands are shaking.

2. Enable the Calculator Launcher. Set the long-press equals-key shortcut. Test it. Make sure the calculator works for arithmetic — because it will be tested.

3. Set up the Decoy Vault. Populate it with plausible but non-sensitive material. A few personal photos. A note that looks like a grocery list. The decoy only works if it is believable.

4. Generate the recovery passphrase. Write it on paper. Store it separately from the device. This is the only way back in if the pattern is forgotten. There is no reset. There is no support line.

5. Disable iCloud Photos for the camera roll. Move existing sensitive photos into the vault. Verify that the camera roll is clean. The officer who scrolls the Photos app should see nothing that was not already public.

6. Test the full flow. Lock the device. Unlock it. Open the calculator. Long-press equals. Enter the pattern. Verify the vault opens. Do this until it is automatic.

The calculus of device seizure

A border officer who takes your phone into a back room has a limited attention span and a limited mandate. They are looking for contraband, evidence, or intelligence. They are not running forensic tools — at least not at the primary inspection line.

What they see is the home screen. They see the apps. They open Photos. They scroll. They look for the obvious.

AppVault’s Calculator Launcher ensures that the obvious is a calculator. The Decoy Vault ensures that, if they find a vault, it contains what they expect to find. The encryption ensures that, if they extract the raw storage, they get ciphertext.

None of this is absolute. A forensic lab with a warrant and a Cellebrite box is a different threat than a customs officer with a bored expression. AppVault is designed for the latter. For the former, you need a lawyer.

But the customs officer is the more common threat. The checkpoint is the more frequent encounter. The moment of device handover is the moment that matters.

AppVault is built for that moment.