Media Den logo

Media Den

← Blog

Plaintext at the Edges: The Copies Encryption Doesn't Cover

We tend to judge a private app by a single question: is the data encrypted? That is only half the question. Encryption protects your content while it sits in storage and while it travels across the network. But software is useful only when it decrypts. The moment your content is on screen, searchable, shareable, or shown in a preview, a readable copy of it exists, and the operating system offers a long list of conveniences that quietly keep copies of that readable form.

Those copies are the privacy weak spot. They are not made by an attacker. They are made by the platform doing exactly what it promises, in places you would never think to look. The clearest recent illustration came from Signal.

A Deleted-Message Example

In early 2026, the FBI recovered the contents of Signal messages from an iPhone, even though the messages had been set to disappear, had been deleted, and the Signal app itself had been removed from the phone.[1] Signal's encryption was not broken. Nobody guessed a password. The messages were simply sitting somewhere else on the device, in plain text.

When a Signal message arrives, the app decrypts it on your device and hands the plain text to iOS so the system can draw the notification that shows you who wrote and what they said. At that instant a readable copy exists outside Signal, inside an iOS database whose only job is to remember notifications. You would not think of that database as long-term storage, but it held delivered content for weeks, and a bug meant notifications marked for deletion could be retained anyway. Apple tracked the flaw as CVE-2026-28950 and patched it across several years of iOS releases.[2]

As Signal president Meredith Whittaker put it, "Notifications for deleted messages shouldn't remain in any OS notification database."[3] But the patch does not change the underlying arrangement: to show you a preview, an app gives the operating system your decrypted content. This is not unique to Signal. Any app that displays message text in a notification, including WhatsApp and Telegram, feeds the same pipeline.[4] The bug made the leak worse and longer-lived. The leak itself was built into the convenience.

Plaintext at the Edges

The notification store is one edge, but it's not the only one. Every convenience that makes content quick to find, quick to preview, or quick to share is a place where a readable copy can come to rest. A careful app has to account for all of them:

The app-switcher snapshot. When an app moves to the background, iOS photographs its current screen to animate the multitasking carousel, and saves that image to disk.

Thumbnail and preview caches. The small images the system and apps generate so a grid or a file list can render quickly, often written to disk as ordinary picture files.

The system pasteboard. Anything copied becomes available to other apps, and can sync to your other devices through the universal clipboard.

Temporary files. Many operations need a real file on disk rather than bytes in memory. Playing a video or handing a document to another app usually means writing the decrypted content out, at least briefly.

Spotlight indexing. Content offered to system search is stored so it can be found later, by design.

The shared photo library and backups. The moment media lands in the system photo library or an iCloud or device backup, it follows that system's retention and sync rules, not the app's.

None of these is an attack. They are the platform doing exactly what it promises. But each is a place where the words "deleted" and "encrypted" stop meaning what you assume, because a readable copy took a side door out of the app.

The question to ask
The useful question about any encrypted app is not "is it encrypted at rest." It is: once the app decrypts my content to show it to me, where does that plain text go, who else keeps a copy, and for how long?

What Changes for a Media Vault

The decryption itself isn't really any different. A vault decrypts a photo the same way Signal decrypts a message: once, on your device, and into memory. Vault apps can perform better or worse based on how they let data exist in its unencrypted form.

A messaging app mostly needs a brief render. A line of text is drawn straight from memory, leaving no file and no cache behind. A media vault is built on the surfaces that do leave artifacts. Its main screen is a wall of thumbnails, and a thumbnail is a derived image written to disk so the grid loads quickly, so previews are not an edge case here, they are the product. Video pushes harder still: the system's player wants a real file, so decrypted bytes tend to reach the disk where a still image or a line of text never would.

And each leak is denser. A snapshot of a chat shows a few lines. A snapshot of a vault's grid, or a single screenshot, shows possibly many photos at once. The same plaintext challenge that was a problem in the Signal case just becomes bigger here.

How Media Den Keeps the Copies Inside the Vault

Media Den is a photo and video vault built around one rule: the encrypted path is the default, and a readable copy of your content stays inside it unless you deliberately send it out. That rule turns into a specific decision at each of the edges above.

Notifications. Media Den posts no notifications that contain your media. There is nothing for the system's notification store to keep, because nothing is ever handed to it. The exact leak that exposed the Signal messages has no starting point here.

The app-switcher snapshot. When the app moves to the background, an opaque cover screen replaces the interface before iOS takes its snapshot. The multitasking carousel shows the Media Den logo, not your library.

Thumbnails and previews. The thumbnail grid is the main screen, so its cache is the largest pool of readable copies a vault could leave lying around. Media Den stores that cache encrypted with a device-local key rather than as ordinary image files, and the cache directory is excluded from device and iCloud backups.

The pasteboard and Spotlight. Media Den never places your media on the system pasteboard, and never indexes your library into Spotlight. Two of the most common ways content quietly escapes an app are simply not wired up.

Temporary files. A few operations, such as playing a video, genuinely need a real file on disk. When that happens, the decrypted copy is written to a temporary location that iOS keeps out of backups, and it is removed when the app locks. The plaintext is brief and contained rather than persistent.

Backups and the camera roll. Photos and videos you capture with the app's own camera go straight into the vault and are never written to the system camera roll. The on-device cache is kept out of backups. Your media does not inherit iCloud's retention and sync rules, because it never enters iCloud's library.

The deliberate sharing surfaces. Saving to the camera roll or sharing to another app is sometimes exactly what you want. Media Den treats those as explicit actions, not silent ones: each is something you choose, and the share confirmation states plainly that the recipient receives an unencrypted copy. The protected path is the default; leaving it is a decision you can see.

Underneath all of this, when you enable encryption your originals are encrypted on your device with AES-256-GCM before they are uploaded to storage you control, so the file that leaves the phone is unreadable to the storage provider and to anyone who intercepts it. The app locks behind a PIN and relocks itself when you background it or step away.

Privacy engineering, at this layer, is mostly about making the protected path the default and keeping the readable copies few, brief, and inside the vault. The Signal case is what it looks like when a single readable copy escapes to a place no one was watching. A vault's job is to make sure there is no such place.

Where your photos actually go

Media Den stores your photos and videos encrypted, on storage you control, and is built so a readable copy stays inside the vault. It posts no notifications containing your media, does not index your library into Spotlight, and never copies it to the system pasteboard. A cover screen hides your library from the app-switcher snapshot, the thumbnail grid is cached encrypted rather than as ordinary preview images, and that cache is excluded from device backups. Saving to your camera roll or sharing to another app is always a deliberate, clearly labeled choice.

If you care about where your photos actually go after they are decrypted, give Media Den a try.

Learn more about Media Den →

Download on the App Store Download on the App Store

References

  1. 9to5Mac, "FBI used iPhone notification data to retrieve deleted Signal messages," April 2026. 9to5mac.com
  2. Help Net Security, "Apple fixes iPhone bug that let FBI retrieve deleted Signal messages (CVE-2026-28950)," April 2026. helpnetsecurity.com
  3. TechCrunch, "Apple fixes bug that cops used to extract deleted chat messages from iPhones," April 2026. techcrunch.com
  4. Malwarebytes Labs, "Apple fixes iOS bug that kept deleted notifications, including chat previews," April 2026. malwarebytes.com