Skip to content
AppVault
en

LANGUAGE / 9

FILE 08 / ZERO KNOWLEDGE

The publisher cannot read your data because the publisher does not have your data.

A zero-knowledge product is one whose builder has, by deliberate architectural choice, no way to access the user’s content. Not “we promise not to”. Not “we encrypt at rest”. A structural inability — no keys, no servers, no metadata, no account. This page explains what that means in practice, what AppVault gives up to deliver it, and how to verify the claim independently.

UPDATED · 2026-05-16 · REVIEWED BY APPVAULT

What AppVault literally cannot know

A zero-knowledge product is best defined by the list of things it cannot do — because each item is a thing it has thrown away on purpose, in exchange for the guarantee that no one can use it against the user later.

AppVault literally cannot:

  • Identify who you are. There is no account, email, phone number, or device identifier we collect or correlate.
  • Count your files. The catalog inside the vault is encrypted alongside the files; without your pattern, we cannot see whether your vault holds one file or one thousand.
  • See file types. Photo, video, document — without the catalog, every file looks like a stream of random bytes the same way every other file does.
  • Detect when you used the app. The app makes no network call by default. Even Apple’s App Store install counts are aggregated and not tied to individuals.
  • Recover your pattern. The pattern is never written to disk in any form. PBKDF2 derivation happens in memory and the output is wrapped by the Secure Enclave; nothing about the original input survives the next garbage collection cycle.
  • Reset your vault on request. There is no support ticket that can unlock a vault. We do not run an admin tool. There is no override.

What we accept in exchange

Zero-knowledge has a real cost. Every "could we just..." moment that the marketing department of a conventional app would happily accept — automatic backup to our cloud, password reset by email, "tap here to recover", concierge support that can move your vault to a new phone — is a moment that zero-knowledge says no to.

We accept this cost because every photo-vault breach since 2014 has happened in exactly those moments. A password reset flow leaks. An account database leaks. A "trusted backup" turns out to have been less encrypted than the marketing copy implied. The only honest answer is to not have the surface at all.

So AppVault has the inconvenient features of being inconvenient: forget the pattern and the vault stays sealed. Lose the phone and the recovery passphrase, both, and the vault is gone. We say this in onboarding, in the App Store description, and on this page, because anyone who tells you a vault is both unrecoverable-by-attackers and recoverable-by-support is lying about one of those two claims.

How zero-knowledge differs from end-to-end encryption

The two terms are often used interchangeably and they should not be. End-to-end encryption (E2EE) is a property of a communication channel: messages sent between Alice and Bob are encrypted such that the relay carrying them — WhatsApp, Signal, iMessage — cannot read them. E2EE makes a statement about what the middle of the pipe cannot see.

Zero-knowledge is a stronger statement about the endpoint provider itself. A messaging app can be perfectly end-to-end encrypted and still hold the metadata that says you exchange messages with a specific contact 27 times a day at predictable hours. The content is private; the relationship is not. Zero-knowledge throws out the metadata too.

For a photo vault, this distinction matters because metadata leakage from a non-zero-knowledge vault — "this user has 1,247 photos uploaded, accessing the app daily from 22:00 to 22:15" — is enough to identify the user and produce a credible blackmail or coercion case even without ever cracking the cipher.

Other tools that operate this way

Zero-knowledge is a niche stance even within the privacy space, but a few well-known tools share it in spirit:

  • Signal — the messaging app. Zero-knowledge for message content; their sealed-sender protocol pushes further into zero-knowledge for metadata than any other major messenger.
  • Bitwarden (self-hosted) — the password manager. End-to-end encrypted by default and zero-knowledge when self-hosted on your own infrastructure.
  • ProtonMail — zero-knowledge for message content, though Proton holds enough metadata for spam filtering and abuse handling.
  • Standard Notes — the encrypted note-taking app. Strict zero-knowledge for note content.

AppVault’s zero-knowledge is closer in spirit to Standard Notes than to Signal — there is no relay, only a local vault, so the contact-graph problem does not arise at all.

How to verify the claim

Zero-knowledge is a claim about absence, which is famously hard to prove. The credible way to verify it is to look for evidence that absence would leave behind.

  • Install AppVault, enable airplane mode, and use every feature. Everything except the optional iCloud backup works. There are no failed network calls in iOS Console because none are attempted.
  • Run a packet inspector (Charles Proxy, Little Snitch, Apple’s built-in network logging) against AppVault. You will see zero outbound traffic. Most apps light up like a Christmas tree in this view; AppVault stays dark.
  • Inspect the app’s privacy nutrition label on the App Store. AppVault’s declares no data collected of any category — Apple verifies this label and will reject the app if it does collect undeclared data.
  • Read the cryptography stack on the Security page. Every claim links to a primary source you can check yourself.

The combination — no network traffic, no privacy-label data collection, no account, audited reference cryptography — is what makes zero-knowledge a structural property rather than a marketing claim.

QUESTIONS WE HEAR

Eight common questions about zero-knowledge in practice.

  1. 01 What does zero-knowledge mean for a photo vault app?
    A zero-knowledge photo vault is one whose publisher has no technical ability to access the photos inside it. The publisher does not hold the encryption keys, does not run a server with the photos, and does not have an account recovery mechanism that could be used to bypass the user’s passcode. AppVault is zero-knowledge by this definition because there are no servers, no accounts, and no keys anywhere except on the user’s own iPhone.
  2. 02 How is zero-knowledge different from "end-to-end encrypted"?
    End-to-end encryption (E2EE) means data is encrypted between two endpoints (typically two devices) so the relay in the middle cannot read it. Zero-knowledge is a stronger statement about the service provider: not only can they not read the data, they hold none of the metadata that would let them deduce who you are or what you store. Most messaging apps that ship E2EE still run servers that hold contact graphs, message timestamps, and account identities — they are E2EE but not zero-knowledge. AppVault holds none of those.
  3. 03 Can AppVault really not recover a forgotten pattern?
    Correct. The pattern derives the encryption key. AppVault never stores the pattern and never stores the key — both are produced on demand from your finger input and discarded after use. There is no database we can query, no support tool we can run, and no Apple ID linkage we can fall back on. If the pattern is lost, the vault stays sealed. This trade-off is the price of zero-knowledge architecture.
  4. 04 What about the optional recovery passphrase?
    During setup, AppVault generates a 24-word English-language passphrase from a standard dictionary and shows it to you once. If you write it down and store it offline, you can use it to unlock the vault on a new device. The passphrase is hashed identically to the pattern and produces the same wrapped key. AppVault never sees or stores the passphrase either — if you do not write it down, it is gone the moment you tap continue.
  5. 05 Does Encrypted iCloud Backup break zero-knowledge?
    No. The optional Encrypted iCloud Backup feature seals each file on your iPhone with a separate per-device backup key before upload. Apple receives only ciphertext. We do not run that backend (it is your iCloud), and we have no access to the backup blobs even if we wanted them. The backup is opt-in, off by default, and described in detail on the Encrypted iCloud page.
  6. 06 Could a court order force AppVault to hand over my photos?
    A court order is enforced against whatever the recipient actually has. We hold no files, no encryption keys, no account database, no usage logs. A subpoena directed at AppVault would produce a one-page response describing what we do not have. A court order can compel you to unlock your vault — that is a different conversation, between you and your jurisdiction. AppVault provides no technical defense against you being personally compelled.
  7. 07 What does AppVault collect?
    AppVault collects nothing. The app makes zero network calls in its default state — no analytics, no crash reports to a third party, no telemetry. Apple shows aggregate App Store install counts; we cannot tie those to individuals. The website at appvau.lt uses Microsoft Clarity for anonymous, opt-out session recording to improve the page itself; Clarity does not see or record what you do inside the iOS app.
  8. 08 How do I verify these claims?
    For the app: install it, put your iPhone in airplane mode, and use it. Every feature except the optional iCloud backup works without a network. For the website: run any network inspector and confirm that no requests fire to AppVault servers (because they do not exist). For the cryptography: the Security page links every claim to its primary source — NIST FIPS 197, IETF RFC 5116, the Apple Platform Security guide, and the OWASP Password Storage Cheat Sheet.

RELATED DOSSIERS

Keep reading.

6 ENTRIES

GET STARTED

Seal the vault.

Free to download. The first vault is free, forever. Upgrade only when you outgrow it.

Open AppVault on iPhone