How to Permanently Delete Photos Before Selling or Trading In Your iPhone

TL;DR

Deleting a photo on iPhone moves it to a 30-day holding album. Emptying that album removes the file reference but does not overwrite the data on the NAND flash. A factory reset encrypts the volume and discards the key, which is effective against casual recovery — but for sensitive photos, overwriting the data before the reset adds a meaningful layer of protection. AppVault's File Shredder writes random data over each file before deletion, and the app's AES-256-GCM encryption means that even raw NAND access yields only ciphertext. The full checklist: shred sensitive files in AppVault, delete and empty Recently Deleted in Photos, sign out of iCloud, erase all content and settings, and verify the device boots to the Hello screen.

What “Delete” Actually Means on iPhone

Tap the trash icon on a photo and iOS does not erase anything. It moves the file to the Recently Deleted album, where it sits for 30 days — fully visible, fully recoverable, still consuming storage. This is a safety net, not a security feature.

Open Photos, go to Albums, scroll to Recently Deleted, tap “Delete All” — now the file-system reference is gone. The photo no longer appears anywhere in the interface. But the data itself remains on the iPhone’s NAND flash storage. iOS marks those blocks as available for reuse. Until the storage controller writes new data into those exact blocks, the old photo data is physically present on the device.

This is not a theoretical concern. Forensic tools used by law enforcement and data recovery services routinely extract files from unreused NAND blocks on iPhones that have been “fully deleted” by their owners. The process is more difficult on modern iPhones than on older models, but the data is there until it is overwritten or the encryption key is destroyed.

Why Hardware Encryption Changes the Equation

Every iPhone since the 3GS encrypts the NAND flash at the hardware level. The encryption key is tied to the device’s unique UID, fused into the processor at manufacture and never exposed to software. When you perform a factory reset (“Erase All Content and Settings”), iOS does not overwrite every block — it destroys the file-system encryption key hierarchy. Without those keys, the data on the NAND is computationally infeasible to decrypt.

For the vast majority of sellers, a factory reset is sufficient. The data is mathematically locked behind a key that no longer exists.

But “computationally infeasible” is not “physically impossible.” A nation-state adversary with electron microscope access to the NAND chip could, in theory, read raw ciphertext directly. The probability is low. The consequence of failure — if the photos in question are medical records, legal documents, or journalistic source material — may be high enough to justify one more step.

That step is overwriting the data before the reset.

The Overwrite Gap: Where AppVault’s File Shredder Fits

iOS provides no built-in tool to overwrite deleted file blocks. Once you empty Recently Deleted, those blocks sit untouched until the OS reuses them. If you sell the iPhone the next day, the blocks are almost certainly still intact.

AppVault’s File Shredder addresses this gap for files already inside the vault. Before deleting a file, the shredder writes random data over its storage blocks, then removes the file reference. The original content is replaced with noise. Even a forensic NAND read recovers only the random overwrite data, not the original photo.

The shredder operates within AppVault’s encrypted vault. Photos that are still in the iOS Photos app need to be moved into AppVault first — imported via the app’s file picker — then shredded. This is an extra step, but it is the only way to guarantee that specific files are overwritten rather than merely dereferenced.

Files inside AppVault are encrypted with AES-256-GCM using a unique 96-bit nonce per file. The encryption key is derived from the user’s pattern via PBKDF2-SHA256 at 600,000 iterations, then wrapped by a key generated inside the iPhone’s Secure Enclave. Even without the overwrite step, raw NAND access yields only ciphertext. The overwrite step ensures that the ciphertext itself is gone.

The Full Pre-Sale Checklist

Follow these steps in order. Skipping a step leaves a gap.

1. Move Sensitive Photos into AppVault

Open AppVault. Use the import function to pull photos and videos from the iOS Photos app into the encrypted vault. This covers the material you are most concerned about — the files that would cause real harm if recovered by a stranger.

If you use AppVault’s Calculator Launcher as your primary access method, the vault is already separated from the Photos app in both interface and storage. Moving files in is a deliberate act, which means you know exactly what is inside.

2. Shred the Files

Inside AppVault, select the imported photos and run the File Shredder. The app writes random data over each file’s storage blocks, then deletes the encrypted file reference. This takes a few seconds per file depending on size.

After shredding, the files are gone from the vault. They are not in Recently Deleted. They are not in any album. The blocks that held them now contain random data.

3. Delete Remaining Photos from the iOS Photos App

Go through the Photos app and delete everything else you do not want the next owner to see. This includes screenshots, downloaded images, and any photos that were never moved into AppVault.

Tap Select, choose the photos, tap the trash icon. Then navigate to Albums → Recently Deleted → Delete All. This removes the file-system references. The data remains on the NAND, but it will be rendered inaccessible by the factory reset in step 6.

4. Sign Out of iCloud and Apple ID

Go to Settings → [your name] → Sign Out. Enter your Apple ID password and choose to remove iCloud data from the device. This disconnects the iPhone from your iCloud account, including iCloud Photos, iCloud Drive, Keychain, and Find My.

If iCloud Photos is enabled, your full photo library lives on Apple’s servers. Signing out removes the local copies but does not touch the cloud library. If you want the cloud library deleted as well, manage that separately at icloud.com before signing out.

5. Erase All Content and Settings

Go to Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. Enter your passcode and Apple ID password when prompted. The device will reboot, destroy the file-system encryption key hierarchy, and present the Hello setup screen.

This is the step that makes the remaining data on the NAND flash computationally inaccessible. Without the encryption keys, the raw data is noise.

6. Verify the Hello Screen

After the reset completes, the iPhone should display the “Hello” setup screen in multiple languages. If it does, the reset was successful. If it boots to the lock screen or home screen, something went wrong — repeat step 5.

Do not set up the device again. The next owner will do that.

What About iCloud Backups?

If you have iCloud Backup enabled, a copy of your photo library — including photos you deleted from the device — may exist in your iCloud backup. The factory reset does not touch this.

Before selling the phone, go to Settings → [your name] → iCloud → Manage Storage → Backups. Select the device backup and either delete it or disable Photos in the backup scope. This ensures that even if someone gains access to your iCloud account later, the backup does not contain the photos you thought you deleted.

AppVault’s own encrypted iCloud Backup is opt-in and uses a separate per-device backup key. If you enabled it, the backup on Apple’s servers is ciphertext. AppVault cannot decrypt it — that is the point of the zero-knowledge architecture. But if you are decommissioning the device entirely, delete the AppVault backup from iCloud as well.

What This Process Does Not Protect Against

Honesty about limits is a feature, not a weakness.

iCloud server-side data. This guide covers the device. If your photos synced to iCloud, they exist on Apple’s servers until you delete them there. The factory reset does not reach across the internet.

Screenshots and cached thumbnails. Some apps generate their own thumbnail caches outside the Photos app. A factory reset clears these, but if you are concerned about a specific app’s cache, delete the app before the reset.

Physical NAND forensics on unshredded files. If you deleted photos from the iOS Photos app without shredding them first, and you perform the factory reset immediately, the raw data may still be on the NAND. The encryption key is gone, so the data is ciphertext — but it is ciphertext that could, in extreme threat models, be targeted for brute-force or side-channel attacks. The shredder eliminates this vector for files inside AppVault.

The threat model page covers AppVault’s defensive boundaries in detail. Read it before deciding whether this process matches your risk level.

How This Compares to Other Vault Apps

Most photo vault apps on the App Store — Keepsafe, Private Photo Vault, HideX — store files in their own sandboxed container. Deleting the app removes the container. Whether the underlying data is overwritten depends on the app’s implementation, and most do not publish their overwrite behavior.

Keepsafe is the category leader by install count; the full feature-by-feature breakdown is on AppVault vs Keepsafe. Vaultaire is the closest architectural competitor; see AppVault vs Vaultaire.

AppVault is the only iPhone vault app that publishes its full cryptography stack — AES-256-GCM, PBKDF2 at 600,000 iterations, Secure Enclave key wrapping — with primary-source citations, and pairs it with a file shredder that overwrites data before deletion. If the question is “how do I permanently delete photos from my iPhone before selling it,” the answer is not just “use a vault app.” The answer is “use a vault app that encrypts, overwrites, and lets you verify every layer.”

The Bottom Line

Deleting a photo on iPhone is not the same as destroying it. The Recently Deleted album is a 30-day grace period. Emptying it removes the reference, not the data. A factory reset destroys the encryption keys, which is effective against any realistic recovery attempt. For sensitive material, overwriting the data first — using AppVault’s File Shredder — closes the last gap.

The full process takes 15 to 30 minutes. The cost of skipping it is handing a stranger a device that may still contain your medical records, your legal documents, or your private photos — even if you are certain you deleted them.