What is a Panic PIN on a photo vault app?

A Panic PIN is a secondary code that opens a decoy vault instead of your real one. If someone forces you to unlock your vault, entering the Panic PIN shows a believable but empty (or staged) space, while your actual photos stay hidden and encrypted.

Can police force you to unlock your phone in the US?

Courts are split. The Ninth Circuit ruled in 2025 that biometric unlocking (fingerprint, Face ID) can be compelled with a warrant. Passcodes have stronger Fifth Amendment protection, but rulings vary by jurisdiction. A Panic PIN adds a second layer of defense inside vault apps regardless of the legal outcome.

What is the difference between a Panic PIN and a decoy password?

They are the same concept with different names. A Panic PIN (also called a duress code or decoy password) is a secondary authentication code that triggers alternative behavior — opening a decoy vault, wiping data, or locking down the app — instead of normal access.

Which photo vault apps have a Panic PIN?

Inner Gallery has a Panic PIN that opens a fully functional secondary space with its own photos and encryption. Most vault apps either don't offer duress codes or implement them as simple data-wipe triggers, which are more obvious under scrutiny.

← Back to blog

March 23, 2026·9 min read

What Is a Panic PIN? How Duress Codes Protect Your Photos

A Panic PIN opens a decoy vault when you're forced to unlock your phone. How duress codes work, why they matter, and which apps support them.

Securityblog.displayTags.securityblog.displayTags.privacy

TL;DR

A Panic PIN is a secondary code that opens a decoy vault when you're coerced into unlocking your app. Instead of revealing your real photos, it shows a believable secondary space. This article explains how duress codes work, the legal landscape around forced phone unlocking, and what to look for in a vault app that takes coercion scenarios seriously.

The coercion problem encryption doesn't solve

Encryption protects data from being read without the key. It does nothing when someone is standing next to you demanding the key.

This scenario has a name in security research: the rubber-hose attack. The attacker doesn't break the math. They pressure the person who holds the password. The "attacker" might be a mugger, an abusive partner, a customs agent, or law enforcement with a warrant.

No amount of ChaCha20-Poly1305 encryption helps once you type in the correct PIN under pressure. The vault opens. The photos are visible. Game over.

A Panic PIN is designed for exactly this gap.

How a Panic PIN works

The concept comes from the security industry. Home alarm systems have used duress codes for decades: enter a special code and the alarm appears to disarm, but silently alerts the monitoring company. Banks use silent alarms triggered by specific PINs. Bruce Schneier discussed duress codes for fingerprint systems back in 2017.

In a photo vault, the Panic PIN works like this:

You set a primary PIN that opens your real vault with your actual photos
You set a Panic PIN — a different code
If coerced, you enter the Panic PIN instead
The app opens a secondary space that looks and behaves like a real vault
Your actual photos remain encrypted and invisible

The person watching sees an unlocked vault. They see photos inside (whatever you've placed in the decoy space). They have no reason to suspect a second layer exists. You've complied with their demand without exposing your real data.

This is plausible deniability applied to photo storage.

The legal reality: courts can force you to unlock your phone

The Fifth Amendment protects against self-incrimination through "testimonial" acts. Whether typing a passcode counts as testimonial has been debated in US courts for over a decade, with contradictory rulings.

Biometrics are less protected. The Ninth Circuit ruled in 2025 that law enforcement can compel fingerprint or Face ID unlocking with a warrant. If you use Face ID, an officer can legally hold the phone to your face. The D.C. Circuit pushed back on this in early 2025, ruling that compelled fingerprint unlocking does implicate the Fifth Amendment — but the split means outcomes depend on jurisdiction.

Passcodes have stronger protection, but not everywhere. A 2026 analysis from a Florida criminal defense firm noted that the practical reality for most people is: if police have a warrant and your phone uses biometrics, they can access it.

Outside the US, protections are often weaker. The UK's Regulation of Investigatory Powers Act (RIPA) makes refusing to provide a decryption key a criminal offense — up to two years in prison (five for national security cases). Australia's Assistance and Access Act gives agencies broad powers to compel access.

At borders, the rules change further. US Customs and Border Protection can search electronic devices at ports of entry without a warrant. A 2023 report by the Knight First Amendment Institute documented thousands of such searches annually.

Encryption protects your photos from being read without the key. A Panic PIN protects you when someone can compel you to provide the key. They solve different problems.

Three approaches to duress codes in apps

Not all Panic PINs work the same way. The implementation determines whether the feature actually provides protection.

1. Data wipe on duress PIN

Enter the duress code and the app deletes everything. GrapheneOS offers a duress PIN that wipes the device on entry. Discovery Bank in South Africa launched a panic code that freezes the account when entered under coercion.

The problem: a wiped vault is suspicious. If someone forces you to unlock an app and it's empty, they know you destroyed evidence. This is especially risky in legal contexts — courts can draw adverse inferences from destroyed data.

2. Decoy screen with no real functionality

Some apps show a fake home screen or an empty vault. This is better than a wipe, but thin under scrutiny. An empty vault that's supposed to be your "real" photo storage doesn't hold up if the person is looking carefully. If you claim you use a photo vault but there are zero photos inside, the deception is obvious.

3. Fully functional secondary space

The Panic PIN opens a vault that works like a real vault. It has its own photos, its own encryption, its own storage. You put a few decoy photos in it — vacation pictures, memes, whatever looks believable. When someone demands access, the Panic PIN opens this space, and it looks exactly like a normal, used vault.

This is the strongest approach because the decoy space is indistinguishable from a primary space. There's no "empty vault" red flag. There's no evidence of deletion. The person sees a vault with photos in it and has no technical way to determine that a second encrypted space exists.

What to look for in a Panic PIN implementation

If you're evaluating vault apps for this feature, check these specifics:

Does the decoy space actually store photos? A blank screen fails immediately. The decoy needs to contain believable content — photos you've deliberately placed there.

Is the Panic PIN timing identical to the real PIN? If entering the Panic PIN triggers a visibly different delay (slower unlock, different animation), an observant person can tell. The PIN verification should take the same time regardless of which PIN is entered. In security engineering, this is called constant-time comparison — preventing timing side-channel attacks.

Can the decoy space be distinguished from the primary space at the filesystem level? If someone with forensic tools can see two encrypted containers of different sizes, the plausible deniability breaks. The implementation matters more than the marketing claim.

Is the Panic PIN separate from biometric unlock? If the app uses Face ID and someone compels you to look at the phone, the Panic PIN is bypassed entirely. You need the ability to disable biometrics quickly (on iPhone: press and hold side button + volume to trigger the SOS screen, which disables Face ID until the passcode is entered).

Inner Gallery's Panic PIN implementation

Inner Gallery implements a Panic PIN as a fully functional secondary space. When you set a Panic PIN in the app, entering it opens a real space with its own photo library and its own ChaCha20-Poly1305 encryption. You add whatever decoy photos make sense for your situation.

Technical details from the security architecture:

Constant-time PIN verification: a dummy PBKDF2 derivation runs even for the Panic PIN path, normalizing response time. An observer cannot distinguish which PIN was entered based on timing.
Same UI, same behavior: the Panic PIN space opens with the same animations, same layout, same features as any other space. There's no visual tell.
Per-space encryption: each space (including the Panic PIN space) has its own encryption key derived from its own PIN. Accessing one space reveals nothing about the existence or contents of other spaces.
No server-side metadata: since Inner Gallery runs entirely on-device with zero network permissions, there's no server log, no account activity, and no cloud backup that could reveal the existence of multiple spaces.

A Panic PIN that opens an empty screen fails the moment someone looks. A Panic PIN that opens a functioning vault with real photos in it provides actual plausible deniability. The difference is implementation.

When a Panic PIN matters

You might think duress scenarios are extreme edge cases. They're more common than most people assume:

Domestic abuse situations: an abusive partner demanding access to your phone is one of the most common coercion scenarios. The National Network to End Domestic Violence documents how technology-facilitated abuse frequently involves forced device access.
Border crossings: CBP conducted over 45,000 device searches in fiscal year 2024. You can refuse, but your device can be detained.
Theft and robbery: phone theft with coerced unlocking is common enough that Apple built Stolen Device Protection into iOS 17.3.
Workplace pressure: someone with authority pressuring you to show your phone is more common in some work environments than people admit.

For many people, the most realistic scenario isn't law enforcement — it's a partner, family member, or acquaintance with physical access to their phone and the social leverage to demand they open it. The iOS Hidden Album falls short here because it unlocks with the same device passcode that the other person likely knows.

The limits of plausible deniability

A Panic PIN isn't a magic shield. Important caveats:

Forensic analysis can find artifacts. A forensic examiner with physical device access and extraction tools like GrayKey or Cellebrite may be able to detect traces of multiple encrypted containers, even if they can't decrypt them. Plausible deniability works against casual observation, not necessarily against a full forensic examination.

Destroying evidence is illegal. Using a wipe-style duress code to destroy data after a court order could result in obstruction charges or contempt of court. A Panic PIN that shows a decoy space doesn't destroy anything — the real data remains encrypted. Consult a lawyer if you're in a legal situation.

It requires preparation. An empty Panic PIN space is suspicious. You need to populate it with believable decoy photos before you're in a coercion scenario.

✅

Inner Gallery includes a Panic PIN that opens a fully functional, separately encrypted space — the strongest form of plausible deniability available in a mobile vault app. Combined with per-file encryption, zero servers, and zero analytics, it's built for scenarios where privacy is genuinely at stake.

Related reading:

Photo Encryption on iPhone: What It Actually Means — how OS-level and app-level encryption differ
5 Best Photo Vault Apps for iPhone — honest comparison of vault apps with privacy as the criteria
iOS Hidden Folder Is Not Enough — why Apple's built-in Hidden album fails under pressure
The iPhone Photo Privacy Checklist — 10 steps to lock down photo privacy on your device
Can Someone See Your Hidden Photos on iPhone? — the truth about who can access the Hidden album
Why Inner Gallery Works Without a Server — the architecture behind local-only encryption

Download Inner Gallery