Why Inner Gallery Works Without a Server
Inner Gallery has no backend and no accounts. Photos are encrypted on-device with optional E2E iCloud sync. Why that's a deliberate architecture choice and what it means for privacy.
Inner Gallery has no server because it doesn't need one. Photos are encrypted on-device with CryptoKit and stored locally. With v1.2.0, optional E2E encrypted iCloud sync lets you back up across devices — but Jungle Labs never holds your decryption keys. No company server means no breaches, no accounts, no recurring costs, and no reason to charge a subscription.
Most apps have servers. Servers store your data, manage your account, process payments, send notifications, and collect analytics. They're so ubiquitous that a "serverless" app sounds like it's missing something.
Inner Gallery is designed around the question: what if the server is the problem?
What a server does in a typical vault app
In most photo vault apps, the server plays several roles:
- Account management: Create an account, log in, recover your password. The server stores your credentials and manages authentication.
- Photo storage: Your photos upload to the company's cloud. The server stores them, sometimes encrypted with keys the company holds.
- Payment processing: Subscription management, receipt validation, entitlement checks.
- Analytics: Usage tracking, behavioral data, crash reports. This is where SDKs like Amplitude, Firebase, and Facebook come in.
- Sync: Cross-device access to your photos through the server.
Each of these creates a dependency — and a potential point of failure or exploitation.
The problem with each server function
Accounts mean password recovery means key access
If a vault app offers "forgot your password" recovery, someone — the company, their server, a support agent — can reset your credentials and access your data. True end-to-end encryption is incompatible with password recovery. The encryption key must be derived from something only the user knows. If the company can reset it, they hold a key.
Cloud storage means breach surface
Every server storing user data is a target. Data breaches in 2024 affected billions of records across industries. A vault app storing photos on a server creates a centralized target — millions of private photos in one place.
Cloud storage also means the company can access your photos unless they use true end-to-end encryption where they don't hold the keys. As documented in Are Photo Vault Apps Actually Safe?, most vault apps don't implement this.
Analytics means tracking
If the app includes analytics SDKs, it's collecting behavioral data. Screen views, session duration, feature usage, device information. Even if the analytics don't touch your photos directly, they build a profile of your behavior inside a "privacy" app.
Keepsafe's relationship with Amplitude — tracking 6 billion events and using behavioral data to optimize pricing — is a public example of how this works in practice.
Servers mean recurring costs mean subscriptions
Running servers costs money. Cloud hosting, bandwidth, storage, engineering to maintain the infrastructure. These costs recur monthly, which is why server-dependent apps charge subscriptions. The $9.99/month isn't just profit — it funds the servers that store your photos.
This creates a misaligned incentive: the app needs you to keep paying, so it needs to keep your photos on their servers. Stop paying, and your photos become inaccessible — or deleted. For more on this dynamic, see Why Vault Apps Charge Subscriptions.
How Inner Gallery works without a server
Inner Gallery removes the server entirely. Here's what replaces each function:
No accounts
There's no login, no email, no password. Each space in the app is protected by its own PIN, which is used to derive the encryption key locally. No PIN recovery exists — by design. If the company can't recover your PIN, the company can't access your data.
No company cloud storage
Photos are encrypted on-device using ChaCha20-Poly1305 via Apple's native CryptoKit framework. The encrypted files exist in the app's sandbox on the iPhone's local storage, protected by both the vault encryption and iOS file protection. With the optional Cloud Sync feature (v1.2.0), encrypted data can replicate to the user's own iCloud account — but the data is end-to-end encrypted before it leaves the device, and Jungle Labs never has access to it.
No analytics
Zero tracking SDKs. No Amplitude, no Firebase, no Facebook SDK, no Adjust, no AppsFlyer. There is no telemetry, no crash reporting service, no usage analytics. The only network activity is optional iCloud sync — initiated by the user, E2E encrypted, and routed through the user's own iCloud account. If a feature is used more than another, the developers don't know — and that's intentional.
No server means no recurring costs
With no company servers to run, there's no ongoing infrastructure cost. This is why Inner Gallery can offer a one-time purchase model: Free tier (2 spaces, 50 items), Space Pack €9.99, Media Pack €9.99, Panic PIN €9.99, Cloud Sync €14.99, App Icons €4.99, Pro Bundle €34.99, Lifetime €99.99. No subscription. Once purchased, the features work forever.
Payment validation
In-App Purchases are validated locally through Apple's StoreKit framework. The iPhone handles purchase verification directly with Apple's servers — the app itself doesn't need its own server for this.
What about backups?
With v1.2.0, this trade-off is largely addressed by optional Cloud Sync — but even without it, there are backup strategies:
- iTunes/Finder encrypted backup: A full device backup includes the app's sandbox data. With an encrypted backup, the vault data is included in the backup's encryption layer.
- iCloud device backup: If iCloud backup is enabled, the app's data may be included in the device backup (encrypted with iCloud keys, or E2EE with Advanced Data Protection enabled).
Cloud Sync: E2E encrypted iCloud sync (v1.2.0)
Inner Gallery now offers optional Cloud Sync as a paid add-on (€14.99). Here's how it works:
- Photos are encrypted on-device before they leave the phone — the same ChaCha20-Poly1305 encryption used for local storage.
- Encrypted blobs sync to the user's own iCloud account via CloudKit. Jungle Labs has no server in the middle and no access to the data.
- Cross-device pairing lets you access your vault on multiple devices. Each device derives its own key from the space PIN.
- Panic spaces are never synced — by design. They exist only on the device where they were created.
This gives the backup and multi-device benefits of cloud storage while maintaining the zero-knowledge architecture. The user's iCloud stores only encrypted data it cannot read, and Jungle Labs never sees any of it.
The architecture in practice
Here's what the serverless design means day to day:
| Feature | Server-based vault | Inner Gallery |
|---|---|---|
| Works offline | Sometimes | Always |
| Works without internet | Rarely | Always |
| Account required | Yes | No |
| Password recovery | Yes (server holds key) | No (by design) |
| Data breach possible (server-side) | Yes | No server to breach |
| Photos accessible to developer | Usually | Never |
| Subscription required | Usually | No |
| Analytics/tracking | Usually | None |
A server is a liability when your goal is privacy. Every server function in a vault app — accounts, storage, analytics, sync — can be replaced with a local-first approach that keeps the user in full control. Cloud Sync adds backup and multi-device access without compromising this: data is E2E encrypted on-device and syncs through the user's own iCloud, not a Jungle Labs server.
Why this matters for the encryption discussion
As explored in Photo Encryption on iPhone: What It Actually Means, the critical question in encryption is always: who holds the key?
In a server-based vault, the answer is often "both the user and the company." In Inner Gallery, the answer is "only the user." There is no server to send the key to, no account system to store it, no recovery mechanism that could expose it.
This is what zero-knowledge architecture means in practice. The developers know the app exists on your phone. They don't know what's in it. They can't know, because the architecture makes it impossible.
Related reading:
- How to Hide Photos on iPhone — every method compared, from Hidden album to encrypted vaults
- 5 Best Photo Vault Apps for iPhone — honest review of the top vault apps
- Photo Encryption Explained — what encrypted storage actually means for your photos
- Are Photo Vault Apps Actually Safe? — what most vault apps don't tell you