How to Hide Photos on iPhone — Every Method, Honestly Evaluated

TL;DR

The iPhone's built-in Hidden Album removes photos from the main library view but leaves them visible in a dedicated "Hidden" album that anyone can open. The Locked Folder in iOS 16+ adds Face ID protection but still shows the folder's existence. Dedicated vault apps like AppVault encrypt files with AES-256-GCM, derive keys through PBKDF2 with 600,000 iterations, and can disguise the app itself as a calculator — none of which the native tools offer. The right method depends on who you are protecting against.

The Built-in Hidden Album: What It Actually Does

Apple added the Hidden Album to iOS as a convenience feature. It removes selected photos and videos from the main library view — the Photos tab, the For You tab, and Memories. The files relocate to a dedicated album found under Albums → Utilities → Hidden.

That is the entire mechanism. No password. No biometric gate. No encryption change. The files sit in the same unencrypted container as every other photo on the device, indexed by the same database, visible to anyone who navigates to the right screen.

Apple added a toggle in iOS 14 that lets you hide the Hidden Album listing itself. Go to Settings → Photos and switch off “Hidden Album.” The album disappears from the Utilities section. But the photos are still indexed. They still appear in search results. They still surface in Siri suggestions. The toggle is a UI change, not a security control.

When the Hidden Album is enough: You want to keep casual swiping hands — a friend flipping through your camera roll, a child tapping around — from stumbling onto specific images. The Hidden Album removes photos from the default browsing flow. For that narrow purpose, it works.

When it is not enough: Anyone who opens the Photos app with intent can find the Hidden Album in under five seconds. It requires no authentication step. If your threat model includes a person who knows what they are looking for, the Hidden Album is not a barrier.

The Locked Folder (iOS 16 and Later)

iOS 16 introduced the Locked Folder, which adds Face ID or Touch ID protection to hidden photos. When you move photos into the Locked Folder, the Photos app requires biometric authentication before displaying them.

This is a meaningful step up from the Hidden Album. A person swiping through your phone cannot open the Locked Folder without your face or fingerprint. The files are also excluded from iCloud Photos sync — they stay on-device only.

But the Locked Folder has its own limits. The folder itself is visible in the Photos app. A viewer can see that a Locked Folder exists and infer that it contains content you have chosen to protect. The folder shows a lock icon and a label. It announces its own existence.

The Locked Folder also does not encrypt files separately from the rest of the iOS data protection system. When the device is locked, all files are protected by the hardware encryption tied to your passcode. When the device is unlocked, the Locked Folder adds a biometric gate — but the underlying storage is the same encrypted APFS volume that protects everything else on the phone.

When the Locked Folder is enough: You want biometric protection against someone who has your unlocked phone in hand. A colleague, a family member, a friend — someone who can physically interact with the device but cannot authenticate as you.

When it is not enough: The Locked Folder does not hide the fact that hidden content exists. It does not protect against someone with your device passcode (since the passcode can override Face ID). It does not encrypt files with a separate key. And it does not help if you need the vault app itself to be invisible.

Where Native Tools Break Down

The core problem with both Apple-native options is architectural. The Photos app is a single application with a single data store. Hiding a photo means changing a flag in a database row. The file stays in the same directory, on the same flash storage, referenced by the same index.

This has concrete consequences:

Search and Siri. Even with the Hidden Album toggle off, photos can surface in Spotlight search, Siri suggestions, and the search bar inside Photos. Apple’s indexing pipeline does not fully respect the hidden flag.

Shared albums and AirDrop. Hidden photos can still be selected for AirDrop or shared albums if the user navigates to them through search or a shared link. The hiding mechanism is a display filter, not an access control.

Backups. Hidden and Locked Folder photos are included in iCloud backups and iTunes/Finder backups. If someone gains access to your iCloud account or a local backup file, the hidden photos are there.

Recently Deleted. When you delete a photo — hidden or not — it moves to the Recently Deleted folder and stays recoverable for 30 days. The Hidden Album does not change this behavior.

Forensic access. Tools used in device forensics read the flash storage directly or extract the Photos database. A boolean flag in a SQLite column does not stop a forensic examiner.

For the threat models that matter — customs and border inspections, shared family iPads, lending your phone to someone, selling or trading in a device — the native tools leave gaps that a dedicated vault app is designed to close.

How Dedicated Vault Apps Work

A vault app takes a fundamentally different approach. Instead of toggling a visibility flag inside the Photos app, it removes files from the Photos library entirely and stores them in an encrypted container that the app controls.

The typical workflow:

1. Import. The user selects photos or videos from the Photos library. The vault app copies them into its own sandboxed storage.
2. Encrypt. Each file is encrypted with a symmetric key derived from the user’s passphrase or pattern. In AppVault’s case, the cipher is AES-256-GCM with a unique 96-bit nonce per file, and the key is derived through PBKDF2-SHA256 at 600,000 iterations with a per-install 128-bit salt.
3. Delete originals. The app deletes the original files from the Photos library, including from the Recently Deleted folder, so no trace remains in the native photo database.
4. Store. The encrypted files live inside the app’s sandbox. The iOS sandbox prevents other apps from reading the data. The encryption prevents anyone who extracts the sandbox contents from reading the files without the key.

The result: the photos no longer exist in the Photos app, in search, in Siri suggestions, in shared albums, or in the camera roll. They exist only as ciphertext inside the vault app’s container.

What Encryption Actually Means Here

AppVault’s cryptography stack is published in full on the encryption concept page. The short version:

• AES-256-GCM (Galois/Counter Mode) provides authenticated encryption. Each file gets a unique 96-bit nonce, so two identical photos produce completely different ciphertext. The algorithm is specified in NIST FIPS 197 and NIST SP 800-38D.
• PBKDF2-SHA256 at 600,000 iterations converts the user’s pattern into a cryptographic key. The iteration count follows the OWASP 2026 recommendation for password-based key derivation. A random 128-bit salt, generated once at install time, ensures that two devices with the same pattern produce different keys.
• Secure Enclave wrapping. The PBKDF2 output is wrapped by a key generated inside the iPhone Secure Enclave. The Enclave key never leaves the chip. On devices with a Secure Enclave (iPhone 5s and later), this means the key material is bound to the hardware and cannot be extracted by software alone.

This is not marketing language. Each of these choices has a specific security property. The high iteration count makes brute-force attacks on the pattern computationally expensive. The per-file nonce prevents pattern analysis across ciphertext. The Secure Enclave binding means that even if someone copies the encrypted container to another device, the files cannot be decrypted without the original hardware.

The Calculator Launcher: Hiding the Hider

Encryption protects the files. But if the vault app itself is visible on the home screen, a viewer knows that hidden content exists. The app icon is a signal.

AppVault’s Calculator Launcher addresses this by shipping a fully functional iOS calculator as the app’s primary interface. The user opens the app, sees a standard calculator, and can perform calculations normally. A long-press on the equals key opens the encrypted vault.

This is not a fake calculator. It is a real calculator that also happens to have a vault behind a specific gesture. The design is built to satisfy Apple guideline 4.3 (alternate icons) by providing genuine calculator functionality.

The Calculator Launcher changes the threat model. A person who picks up your phone and sees a calculator app on the home screen has no reason to suspect it contains encrypted photos. A customs officer scrolling through apps sees a calculator. A friend who borrows your phone sees a calculator.

This is not invisibility. A forensic examination of the app’s bundle identifier and entitlements would reveal its true nature. But for the practical scenarios that most people face — a person with physical access and casual intent — the Calculator Launcher raises the barrier from “open the obvious vault app” to “figure out that the calculator is not a calculator.”

The Decoy Vault: Two Albums, One Device

Some situations require more than a hidden app. If someone knows you use a vault app and demands access, a single password creates a problem: refusal implies guilt, and compliance defeats the purpose.

AppVault’s Decoy Vault provides a second 5×5 pattern that opens a separate, mathematically independent vault catalog. The decoy vault is a fully functional encrypted space. It can contain its own photos, videos, and files. The encryption keys for the decoy vault are derived from the decoy pattern — they are unrelated to the keys for the primary vault. There is no cryptographic link between the two.

This is useful in specific scenarios: a shared family iPad where one person’s vault access is expected, a device used by more than one person, or any situation where plausible deniability has practical value.

The decoy vault is not a magic shield. It does not protect against forensic analysis that examines the app’s entire storage. It protects against the social scenario where someone knows the vault exists and wants to see what is inside.

Pattern Lock: Why the Grid Matters

AppVault uses a 5×5 pattern lock instead of a numeric PIN or alphanumeric password. The grid provides 25 nodes, and the pattern connects them in sequence. The total number of possible patterns is large — significantly larger than a 4-digit PIN (10,000 combinations) and comparable to a 6-digit PIN, though the exact count depends on the minimum and maximum node constraints.

The pattern is not the encryption key. The pattern is the input to PBKDF2, which stretches it into a 256-bit key. The security comes from the key derivation function, not from the pattern itself. A 4-digit PIN run through PBKDF2 at 600,000 iterations is also secure against brute force — the iteration count is what makes each guess expensive.

The pattern lock is a usability choice. Most people can remember a geometric shape more reliably than a random string. The 5×5 grid is familiar from Android’s legacy lock screen. And the visual nature of the pattern makes it faster to enter than a typed password on a touchscreen.

What Vault Apps Do Not Protect Against

Honesty about limits is more useful than overstatement. Here is what a vault app like AppVault does not defend against:

Forensic chip-off attacks. A laboratory that desolders the NAND flash chip and reads it directly can extract the encrypted container. AES-256-GCM with a strong key makes decryption infeasible, but the ciphertext is physically present. If the key is weak (a simple pattern, low iteration count), the encryption can be broken. AppVault’s 600,000-iteration PBKDF2 and Secure Enclave wrapping raise the cost substantially, but no software-only solution defeats a well-funded forensic lab.

Compelled decryption. In some jurisdictions, authorities can legally compel you to provide a password or biometric. A vault app cannot protect against a court order. The Decoy Vault may provide plausible deniability in informal settings, but it is not a legal shield.

Device passcode compromise. If someone knows your device passcode, they can unlock the phone and attempt to open the vault app. The vault’s pattern is a separate authentication factor, but the device passcode is the first line of defense. A strong device passcode (alphanumeric, not 4-digit) remains essential.

Screen recording and shoulder surfing. A vault app cannot prevent someone from watching you enter your pattern or from recording the screen while you browse encrypted photos. Physical security — awareness of your surroundings, screen privacy filters — is a separate layer.

iCloud Backup of the vault container. If the user opts in to iCloud Backup, the vault’s encrypted container is backed up. The files remain encrypted, and the backup key is separate from the vault key. But the ciphertext exists on Apple’s servers. AppVault’s backup encryption uses a per-device key that Apple does not hold, but the metadata (backup exists, app installed) is visible.

The full threat model page details these scenarios with more precision.

Comparing AppVault to the Category

The calculator vault category on the App Store includes dozens of apps. Most share a similar premise — a disguised icon, a pattern or PIN lock, encrypted storage — but the implementation quality varies enormously.

Keepsafe is the category leader by install count. It offers cloud sync, a subscription model, and a polished interface. The full feature-by-feature breakdown is on the AppVault vs Keepsafe comparison page. Keepsafe’s cloud architecture means files pass through Keepsafe’s servers, which is a fundamentally different trust model than a local-only app.

Vaultaire is the closest competitor in the calculator-vault niche. It uses a calculator disguise and local storage. The architectural differences — key derivation, encryption mode, Secure Enclave usage — are detailed on the AppVault vs Vaultaire comparison page.

Most other calculator vault apps in the store do not publish their cryptography stack. Without published iteration counts, cipher modes, and key derivation details, there is no way to evaluate whether the encryption is meaningful or decorative. An app that claims “military-grade encryption” but runs PBKDF2 at 1,000 iterations is not providing meaningful protection.

AppVault publishes its full stack with primary-source citations. The cipher, iteration count, salt generation, and hardware binding are documented on the encryption page. This is the minimum standard for a product that asks users to trust it with private files.

Practical Scenarios: Which Method to Use

Customs and border inspections. An officer who picks up your phone and scrolls through apps and photos. The Calculator Launcher addresses this: the app looks like a calculator. The encrypted files are not in the Photos app. The officer has no obvious reason to suspect hidden content. This is the scenario where a vault app with a disguised icon provides the most value over native tools.

Shared family iPad. Multiple people use the same device. The Locked Folder provides biometric protection, but the folder is visible. A vault app with a separate pattern keeps files out of the Photos app entirely. The Decoy Vault adds a second layer if one family member’s access is expected.

Lending your phone. A friend takes a group photo and swipes further. The Hidden Album removes photos from the main view, but a determined swipe can reach it. A vault app removes the files from the Photos app completely.

Selling or trading in an iPhone. Before a factory reset, move sensitive files to the vault app, then use the app’s secure delete function. After deleting the app and performing a factory reset, the encrypted container is destroyed. The native Hidden Album and Recently Deleted folder are wiped by the factory reset, but a vault app gives you explicit control over the deletion timing.

Journalists, lawyers, medical professionals. Privileged work material that should not be accessible to anyone with device access. A vault app with strong encryption and no cloud sync keeps files local and encrypted. The zero-knowledge architecture — detailed on the zero-knowledge page — means the app developer has no access to file contents or metadata.

How to Set Up AppVault for Photo Hiding

The setup process is designed to minimize the window during which files exist in both the Photos library and the vault simultaneously.

1. Install AppVault from the App Store. The app appears as a calculator on the home screen.
2. Set the primary pattern. Choose a 5×5 pattern you can remember. This pattern derives the encryption key for your primary vault.
3. Set the decoy pattern (optional). This opens a separate vault catalog with its own encryption keys.
4. Generate the recovery passphrase. AppVault creates a written recovery phrase during setup. Store it somewhere physically separate from the phone. If you forget both patterns, this is the only way back in.
5. Import photos. Open the vault, tap import, and select photos from the Photos library. AppVault encrypts them and stores them in its sandbox.
6. Delete originals. After confirming the photos are visible inside the vault, delete them from the Photos app. Then open the Recently Deleted folder and delete them there too.
7. Verify. Open the Photos app and confirm the images are gone from all views — Photos tab, Albums, Search, and Recently Deleted.

The photos now exist only as encrypted files inside AppVault’s sandbox. They are not in the Photos database, not in search, not in iCloud Photos, and not in any backup unless you have explicitly opted in to encrypted iCloud Backup.

The Cost of Getting It Wrong

The worst outcome is not having no protection. It is having the illusion of protection.

A person who relies on the Hidden Album and assumes their photos are private has made a specific, testable claim about their security — and the claim is false. The Hidden Album is a display preference, not an access control. Anyone with unlocked device access can find the hidden photos in seconds.

A person who downloads a free vault app with ad SDKs and assumes their photos are encrypted has made a different claim — one that may also be false. Without published cryptography details, there is no way to verify that the app encrypts anything. Some free vault apps have been found to store files in plaintext inside the app’s Documents directory, readable by anyone who can access a local backup.

The right approach is to match the method to the threat model. If the threat is a casual swipe through your camera roll, the Hidden Album or Locked Folder is sufficient. If the threat is a person with intent — a border inspection, a shared device, a phone you are handing to someone — a dedicated vault app with published encryption, a disguised icon, and local-only storage is the appropriate tool.

AppVault is built for the second category. The full architecture — cipher, key derivation, hardware binding, zero-knowledge design — is documented on the encryption, zero-knowledge, and security pages. No claims are made that cannot be verified against primary sources.