Skip to content
AppVault
en

LANGUAGE / 9

FILE 06 / INTRUDER LOG

See exactly who tried to open the vault — silently, on-device, only visible to you.

After three consecutive failed pattern attempts, AppVault uses the front camera to take a silent photo, records the timestamp and approximate location, and stores all three inside the encrypted vault. The log is invisible to whoever triggered it and visible only to the legitimate owner after a successful unlock.

UPDATED · 2026-05-16 · REVIEWED BY APPVAULT

What the intruder log is actually for

The intruder log is not a forensic surveillance tool and it is not a way to catch a stalker. It is something more modest and more useful: a clear record of who has been trying to open your vault. In almost every case, this is one of three people — yourself (forgetting the pattern after a stressful day, mis-tapping after a long flight), a child who picked up your iPhone curious about the unfamiliar app icon, or a friend who borrowed your phone to send a text and then poked around longer than they should have.

Each of those cases produces an entry. Most of the time, you look at the log, recognize yourself or someone harmless, and dismiss it. Occasionally, you see a face you do not recognize, or you see yourself at a time you have no memory of, and that information changes what you do next. The value of the log is in the cheap availability of that information.

Why a threshold of three

The threshold question is genuinely interesting. Too low and the log fills with self-triggered captures every time you fat-finger your own pattern; too high and an attentive snoop with five guesses gets away clean.

Two is aggressive. It will catch almost every snoop on their first or second try, and it will also catch you on the half-asleep nights you mis-draw twice before getting it right. It is the right setting for people who are reasonably confident in their muscle memory and who genuinely want a low miss rate.

Three is the default and the value we recommend for most users. It tolerates one accidental misdraw plus one quick correction — the typical "oh wait, was it that direction?" pattern — and triggers on the third. Internal testing with seventeen private testers over six weeks showed roughly 95% of deliberate-snoop sessions caught on or before the third attempt, with a self-trigger rate under 1% of legitimate-owner sessions.

Five and ten exist for users who draw long, complex patterns under varying conditions (cold weather, gloves, the bottom of a bag) and who would rather miss occasional opportunistic snooping than deal with frequent false positives. The trade-off is real.

How the capture actually works

When the failure counter hits the threshold, AppVault issues a single still-photo capture request to the iPhone’s front-facing camera using Apple’s AVFoundation framework. The capture is performed with no on-screen viewfinder, no shutter sound (we set the AVCaptureSession sound mode to silent), and no screen-flash artificial illumination. The system orange-or-green camera-active dot that iOS shows in the status bar does appear — Apple requires it for any app accessing the camera — but it is a brief flash on a screen the intruder is, by definition, looking at while focused on the unlock prompt.

The captured image is processed in memory, downsampled to a reasonable storage size (about 600 KB per photo), encrypted with AES-256-GCM using a fresh nonce, and written to the encrypted intruder log inside your vault. The original camera buffer is overwritten before the function returns. From the moment the capture is committed, the only way back to the image is through your pattern.

Timestamp is wall-clock at the moment of capture. Location, if granted, is captured at the same moment using Core Location’s approximate-location authorization — a city-block-level coarse coordinate that iOS introduced as a privacy-preserving alternative to full GPS in iOS 14. AppVault never requests precise location; coarse is enough to say "the attempt happened in central Madrid" and not enough to identify a specific apartment.

What an intruder log entry looks like inside the vault

Open AppVault, unlock with your pattern, and tap the Intruder Log tab. Each entry shows the captured photo as a thumbnail, the date and time of the attempt, the city-level location, and a small badge indicating which vault the attempt was made on (primary or decoy). Tapping an entry opens a full-size view with the same metadata plus a one-line annotation field where you can write a quick note ("kids, again" or "unfamiliar — review later").

You can swipe to delete individual entries, or bulk-delete the entire log, but the delete is permanent. There is no undo and no Trash for the intruder log — these are records that exist for transient review, not long-term storage. If you want to keep a specific capture (because you want to file it with a workplace IT report or with your phone carrier’s loss claim), use the export action, which moves a single capture to your camera roll or iOS share sheet at your explicit instruction.

What the intruder log is not

The log is not a security system. It is not connected to a monitoring service, does not send alerts, does not notify a "trusted contact", and does not call the police. Everything happens locally, after the fact, available only to you.

The log is not protection against a determined attacker. Someone who is willing to remove their finger before the threshold (each attempt counts only after a complete pattern is drawn) or who covers the front camera with a finger or a sticker before unlocking will defeat the capture. The log catches casual, opportunistic snooping; it does not catch professional intrusion.

The log is not a substitute for a strong pattern. The right way to keep someone out of your vault is to choose a pattern they cannot guess — the intruder log is the consolation prize for the rare case when somebody tries anyway and fails. If you find yourself relying on the log as your primary defense, you have probably under-invested in the pattern itself.

Privacy considerations of captured photos

Capturing a person’s face without their explicit consent raises real privacy questions, even when the capture is on your own device and the person was attempting to access something they had no right to access. AppVault’s position is conservative:

  • The capture never leaves your iPhone unless you export it manually.
  • The capture is encrypted at rest, the same way every other file in your vault is.
  • You decide what to do with the capture. AppVault provides no automatic sharing, no "send to family", and no public timeline.
  • You can disable the intruder log entirely in settings; if disabled, AppVault never accesses the camera regardless of attempt count.

If you live in a jurisdiction with strict consent-for-capture laws (parts of Europe, parts of the U.S.), think about who is most likely to trigger the log. In a shared family home, that is your spouse or your child, and you should treat the log accordingly — as a record-of-attempt rather than as a piece of evidence. In a corporate or co-working environment, treat any captured intruder as you would treat an unauthorized-access log line in any other system: review, escalate to your IT or HR contact if needed, and let them decide what counts as evidence.

INTRUDER LOG QUESTIONS

Ten precise answers about the camera that records the wrong patterns.

  1. 01 How many failed attempts trigger the intruder log?
    AppVault’s default threshold is three consecutive failed pattern attempts. You can change the threshold in settings to two (more aggressive — catches almost every snoop but increases the chance of a self-tripped capture), five, or ten. We picked three as the default because it catches roughly 95% of casual shoulder-snoops while trip-rating the owner less than 1% of the time, based on internal testing.
  2. 02 What does AppVault capture when the threshold is hit?
    A front-camera photo at standard resolution, the wall-clock time, the approximate location (city-level via Core Location, not GPS-precise), the device model, and the iOS version. The capture is stored inside the encrypted vault catalog and is only viewable after the next successful unlock by the legitimate owner.
  3. 03 Is the capture silent? Does the screen flash?
    The capture is silent. The shutter sound is muted. The screen does not flash. There is no LED indicator on the front camera of any current iPhone, and AppVault does not display a viewfinder or any other UI hint. Apple’s privacy rules require that an app accessing the camera show some indication in the iOS status bar — a small orange or green dot — but that indication is the standard iOS feature, not an AppVault-specific tell.
  4. 04 Where is the captured photo stored?
    In an encrypted intruder log inside your AppVault container, sealed with the same key as the rest of the vault. The photo is never written to your camera roll, never uploaded to a server, and never visible to any party other than you after you unlock with the correct pattern. If you have Encrypted iCloud Backup enabled, the intruder log is backed up alongside the rest of the vault as ciphertext.
  5. 05 Does the intruder log work in low light?
    iPhone front cameras handle indoor and low-light environments well enough to produce identifiable photos in most common shoulder-surf scenarios — a person sitting on a couch, leaning over a desk, holding the phone close to their face. Pitch dark or aggressively backlit scenes can degrade the capture to silhouette quality. The intruder log is most useful against casual snooping by people you know; it is not a forensic surveillance tool.
  6. 06 What if the camera is covered?
    AppVault still records the timestamp and location entry, just without the photo. A blank capture entry is itself signal — someone deliberate enough to cover the camera before attempting to unlock is not a curious bystander.
  7. 07 Can I view the intruder log without unlocking the vault?
    No. The log is encrypted alongside the rest of the vault. The only way to view it is to enter your pattern and open AppVault. This is deliberate — a separately-accessible log would leak the existence of the vault to anyone holding the phone.
  8. 08 Does the intruder log share photos to my Photos app?
    No, never. Captured intruder photos live inside the encrypted vault and are not visible to iOS in any other context. You can manually export a single capture if you need to (for example, to file a report), but no automatic export happens.
  9. 09 How is location captured?
    Using Core Location’s coarse-location authorization at city-level granularity (the iOS 14+ "approximate location" feature). This is precise enough to say "the attempt happened while the device was in central Berlin" and imprecise enough that the location itself is not personally identifying. AppVault asks for this permission only if you enable the intruder log; if you decline, captures store the photo and timestamp but no location.
  10. 10 Can I disable the intruder log entirely?
    Yes. Settings → Intruder Log → Off. The feature is off-by-default for users who do not enable Pro, and configurable for users who do. When disabled, no camera access happens regardless of how many failed pattern attempts occur.

RELATED DOSSIERS

Keep reading.

6 ENTRIES

GET STARTED

Seal the vault.

Free to download. The first vault is free, forever. Upgrade only when you outgrow it.

Open AppVault on iPhone