Skip to content
AppVault

FILE 08 / ZERO KNOWLEDGE

The publisher cannot read your data because the publisher does not have your data.

A zero-knowledge product is one whose builder has, by deliberate architectural choice, no way to access the user’s content. Not “we promise not to”. Not “we encrypt at rest”. A structural inability — no keys, no servers, no metadata, no account. This page explains what that means in practice, what AppVault gives up to deliver it, and how to verify the claim independently.

UPDATED · 2026-05-16 · REVIEWED BY APPVAULT

What AppVault literally cannot know

A zero-knowledge product is best defined by the list of things it cannot do — because each item is a thing it has thrown away on purpose, in exchange for the guarantee that no one can use it against the user later.

AppVault literally cannot:

  • Identify who you are. There is no account, email, phone number, or device identifier we collect or correlate.
  • Count your files. The catalog inside the vault is encrypted alongside the files; without your pattern, we cannot see whether your vault holds one file or one thousand.
  • See file types. Photo, video, document — without the catalog, every file looks like a stream of random bytes the same way every other file does.
  • Detect when you used the app. The app makes no network call by default. Even Apple’s App Store install counts are aggregated and not tied to individuals.
  • Recover your pattern. The pattern is never written to disk in any form. PBKDF2 derivation happens in memory and the output is wrapped by the Secure Enclave; nothing about the original input survives the next garbage collection cycle.
  • Reset your vault on request. There is no support ticket that can unlock a vault. We do not run an admin tool. There is no override.

What we accept in exchange

Zero-knowledge has a real cost. Every "could we just..." moment that the marketing department of a conventional app would happily accept — automatic backup to our cloud, password reset by email, "tap here to recover", concierge support that can move your vault to a new phone — is a moment that zero-knowledge says no to.

We accept this cost because every photo-vault breach since 2014 has happened in exactly those moments. A password reset flow leaks. An account database leaks. A "trusted backup" turns out to have been less encrypted than the marketing copy implied. The only honest answer is to not have the surface at all.

So AppVault has the inconvenient features of being inconvenient: forget the pattern and the vault stays sealed. Lose the phone and the recovery passphrase, both, and the vault is gone. We say this in onboarding, in the App Store description, and on this page, because anyone who tells you a vault is both unrecoverable-by-attackers and recoverable-by-support is lying about one of those two claims.

How zero-knowledge differs from end-to-end encryption

The two terms are often used interchangeably and they should not be. End-to-end encryption (E2EE) is a property of a communication channel: messages sent between Alice and Bob are encrypted such that the relay carrying them — WhatsApp, Signal, iMessage — cannot read them. E2EE makes a statement about what the middle of the pipe cannot see.

Zero-knowledge is a stronger statement about the endpoint provider itself. A messaging app can be perfectly end-to-end encrypted and still hold the metadata that says you exchange messages with a specific contact 27 times a day at predictable hours. The content is private; the relationship is not. Zero-knowledge throws out the metadata too.

For a photo vault, this distinction matters because metadata leakage from a non-zero-knowledge vault — "this user has 1,247 photos uploaded, accessing the app daily from 22:00 to 22:15" — is enough to identify the user and produce a credible blackmail or coercion case even without ever cracking the cipher.

Other tools that operate this way

Zero-knowledge is a niche stance even within the privacy space, but a few well-known tools share it in spirit:

  • Signal — the messaging app. Zero-knowledge for message content; their sealed-sender protocol pushes further into zero-knowledge for metadata than any other major messenger.
  • Bitwarden (self-hosted) — the password manager. End-to-end encrypted by default and zero-knowledge when self-hosted on your own infrastructure.
  • ProtonMail — zero-knowledge for message content, though Proton holds enough metadata for spam filtering and abuse handling.
  • Standard Notes — the encrypted note-taking app. Strict zero-knowledge for note content.

AppVault’s zero-knowledge is closer in spirit to Standard Notes than to Signal — there is no relay, only a local vault, so the contact-graph problem does not arise at all.

How to verify the claim

Zero-knowledge is a claim about absence, which is famously hard to prove. The credible way to verify it is to look for evidence that absence would leave behind.

  • Install AppVault, enable airplane mode, and use every feature. Everything except the optional iCloud backup works. There are no failed network calls in iOS Console because none are attempted.
  • Run a packet inspector (Charles Proxy, Little Snitch, Apple’s built-in network logging) against AppVault. You will see zero outbound traffic. Most apps light up like a Christmas tree in this view; AppVault stays dark.
  • Inspect the app’s privacy nutrition label on the App Store. AppVault’s declares no data collected of any category — Apple verifies this label and will reject the app if it does collect undeclared data.
  • Read the cryptography stack on the Security page. Every claim links to a primary source you can check yourself.

The combination — no network traffic, no privacy-label data collection, no account, audited reference cryptography — is what makes zero-knowledge a structural property rather than a marketing claim.

QUESTIONS WE HEAR

Eight common questions about zero-knowledge in practice.

  1. 01 What does zero-knowledge mean for a photo vault app?
    A zero-knowledge photo vault is one whose publisher has no technical ability to access the photos inside it. The publisher does not hold the encryption keys, does not run a server with the photos, and does not have an account recovery mechanism that could be used to bypass the user’s passcode. AppVault is zero-knowledge by this definition because there are no servers, no accounts, and no keys anywhere except on the user’s own iPhone.
  2. 02 How is zero-knowledge different from "end-to-end encrypted"?
    End-to-end encryption (E2EE) means data is encrypted between two endpoints (typically two devices) so the relay in the middle cannot read it. Zero-knowledge is a stronger statement about the service provider: not only can they not read the data, they hold none of the metadata that would let them deduce who you are or what you store. Most messaging apps that ship E2EE still run servers that hold contact graphs, message timestamps, and account identities — they are E2EE but not zero-knowledge. AppVault holds none of those.
  3. 03 Can AppVault really not recover a forgotten pattern?
    Correct. The pattern derives the encryption key. AppVault never stores the pattern and never stores the key — both are produced on demand from your finger input and discarded after use. There is no database we can query, no support tool we can run, and no Apple ID linkage we can fall back on. If the pattern and the recovery phrase are both lost, the vault stays sealed. This trade-off is the price of no-account architecture.
  4. 04 What about the recovery phrase?
    During setup, AppVault generates a BIP-39 12-word recovery phrase from the standard English BIP-39 wordlist and shows it to you once. If you write it down and store it offline, you can use it to unlock the vault on a new device. The phrase derives the master key locally on whichever device enters it. AppVault never transmits or stores the phrase — if you do not write it down, it is gone the moment you tap continue.
  5. 05 Does any feature upload my vault to a cloud?
    No. The vault directory is explicitly excluded from iCloud Backup via NSURLIsExcludedFromBackupKey, and the master keys are pinned to ThisDeviceOnly in the iOS Keychain so they cannot migrate or restore to another device. Survival across device loss is handled by the recovery phrase, not by any cloud sync. There is no AppVault server.
  6. 06 Could a court order force AppVault to hand over my photos?
    A court order is enforced against whatever the recipient actually has. We hold no files, no encryption keys, no account database, no usage logs. A subpoena directed at AppVault would produce a one-page response describing what we do not have. A court order can compel you to unlock your vault — that is a different conversation, between you and your jurisdiction. AppVault provides no technical defense against you being personally compelled.
  7. 07 What does AppVault collect?
    No vault content, no filenames, no per-user identity. The iOS app sends anonymous, content-free funnel events through Firebase Analytics (paywall views, onboarding step, bucketised wrong-pattern counts) and crash diagnostics through Firebase Crashlytics. The exact list of events and what they contain is on the Privacy page. None of those signals carry your pattern, your recovery phrase, your files, file names, or any per-user identifier — we have no account system to link them to. The website at appvau.lt uses Microsoft Clarity for anonymous session replay.
  8. 08 How do I verify these claims?
    For the app: install it, put your iPhone in airplane mode, and every vault function still works — unlock, import, decrypt, file shred, change pattern. The only thing airplane mode disables is the outbound funnel telemetry. For the website: run any network inspector and confirm that no requests fire to AppVault servers (because they do not exist). For the cryptography: the Security page links every claim to its primary source — NIST FIPS 197, IETF RFC 5116, the Apple Platform Security guide, and the OWASP Password Storage Cheat Sheet.

GET STARTED

Seal the vault.

Free to download. The free tier holds one file. Premium removes the limit — Weekly from $3.99 or Yearly from $29.99 with a 7-day free trial.