Why Inner Gallery Works Without a Server
Inner Gallery has no backend, no accounts, no cloud. Why that's a deliberate architecture choice and what it means for privacy and reliability.
Inner Gallery has no server because it doesn't need one. Photos are encrypted on-device with CryptoKit, stored locally, and never transmitted anywhere. No server means no breaches, no accounts, no recurring costs, and no reason to charge a subscription. Encrypted cloud sync is planned — but even then, the server will never hold your decryption keys.
Most apps have servers. Servers store your data, manage your account, process payments, send notifications, and collect analytics. They're so ubiquitous that a "serverless" app sounds like it's missing something.
Inner Gallery is designed around the question: what if the server is the problem?
What a server does in a typical vault app
In most photo vault apps, the server plays several roles:
- Account management: Create an account, log in, recover your password. The server stores your credentials and manages authentication.
- Photo storage: Your photos upload to the company's cloud. The server stores them, sometimes encrypted with keys the company holds.
- Payment processing: Subscription management, receipt validation, entitlement checks.
- Analytics: Usage tracking, behavioral data, crash reports. This is where SDKs like Amplitude, Firebase, and Facebook come in.
- Sync: Cross-device access to your photos through the server.
Each of these creates a dependency — and a potential point of failure or exploitation.
The problem with each server function
Accounts mean password recovery means key access
If a vault app offers "forgot your password" recovery, someone — the company, their server, a support agent — can reset your credentials and access your data. True end-to-end encryption is incompatible with password recovery. The encryption key must be derived from something only the user knows. If the company can reset it, they hold a key.
Cloud storage means breach surface
Every server storing user data is a target. Data breaches in 2024 affected billions of records across industries. A vault app storing photos on a server creates a centralized target — millions of private photos in one place.
Cloud storage also means the company can access your photos unless they use true end-to-end encryption where they don't hold the keys. As documented in Are Photo Vault Apps Actually Safe?, most vault apps don't implement this.
Analytics means tracking
If the app includes analytics SDKs, it's collecting behavioral data. Screen views, session duration, feature usage, device information. Even if the analytics don't touch your photos directly, they build a profile of your behavior inside a "privacy" app.
Keepsafe's relationship with Amplitude — tracking 6 billion events and using behavioral data to optimize pricing — is a public example of how this works in practice.
Servers mean recurring costs mean subscriptions
Running servers costs money. Cloud hosting, bandwidth, storage, engineering to maintain the infrastructure. These costs recur monthly, which is why server-dependent apps charge subscriptions. The $9.99/month isn't just profit — it funds the servers that store your photos.
This creates a misaligned incentive: the app needs you to keep paying, so it needs to keep your photos on their servers. Stop paying, and your photos become inaccessible — or deleted. For more on this dynamic, see Why Vault Apps Charge Subscriptions.
How Inner Gallery works without a server
Inner Gallery removes the server entirely. Here's what replaces each function:
No accounts
There's no login, no email, no password. Each space in the app is protected by its own PIN, which is used to derive the encryption key locally. No PIN recovery exists — by design. If the company can't recover your PIN, the company can't access your data.
No cloud storage
Photos stay on the device. Each one is encrypted individually using ChaCha20-Poly1305 via Apple's native CryptoKit framework. The encrypted files exist in the app's sandbox on the iPhone's local storage, protected by both the vault encryption and iOS file protection.
No analytics
Zero tracking SDKs. No Amplitude, no Firebase, no Facebook SDK, no Adjust, no AppsFlyer. The app doesn't even request network permissions. There is no telemetry, no crash reporting service, no usage analytics. If a feature is used more than another, the developers don't know — and that's intentional.
No server means no recurring costs
With no servers to run, there's no ongoing infrastructure cost. This is why Inner Gallery can offer a one-time purchase model: Free tier (2 spaces, 50 media), expansion packs at €9.99, Pro Bundle at €24.99, Lifetime at €99.99. No subscription. Once purchased, the features work forever.
Payment validation
In-App Purchases are validated locally through Apple's StoreKit framework. The iPhone handles purchase verification directly with Apple's servers — the app itself doesn't need its own server for this.
What about backups?
This is the honest trade-off. Without a server, there's no automatic cloud backup. If the device is lost, damaged, or wiped, locally stored photos are gone.
Mitigation strategies:
- iTunes/Finder encrypted backup: A full device backup includes the app's sandbox data. With an encrypted backup, the vault data is included in the backup's encryption layer.
- iCloud device backup: If iCloud backup is enabled, the app's data may be included in the device backup (encrypted with iCloud keys, or E2EE with Advanced Data Protection enabled).
Encrypted sync is planned
The roadmap includes encrypted cloud sync — replicating vault data between devices without the server ever having access to decryption keys. The sync server would store only encrypted blobs, using a key exchange protocol where keys are derived from the user's PIN on each device. The server would be a dumb pipe, transporting encrypted data it cannot read.
This approach gives the backup benefits of cloud storage while maintaining the zero-knowledge architecture. The server never sees unencrypted photos, never holds decryption keys, and could be breached without exposing user data.
The architecture in practice
Here's what the serverless design means day to day:
| Feature | Server-based vault | Inner Gallery |
|---|---|---|
| Works offline | Sometimes | Always |
| Works without internet | Rarely | Always |
| Account required | Yes | No |
| Password recovery | Yes (server holds key) | No (by design) |
| Data breach possible (server-side) | Yes | No server to breach |
| Photos accessible to developer | Usually | Never |
| Subscription required | Usually | No |
| Analytics/tracking | Usually | None |
A server is a liability when your goal is privacy. Every server function in a vault app — accounts, storage, analytics, sync — can be replaced with a local-first approach that keeps the user in full control. The trade-off is backup responsibility, which encrypted sync will address.
Why this matters for the encryption discussion
As explored in Photo Encryption on iPhone: What It Actually Means, the critical question in encryption is always: who holds the key?
In a server-based vault, the answer is often "both the user and the company." In Inner Gallery, the answer is "only the user." There is no server to send the key to, no account system to store it, no recovery mechanism that could expose it.
This is what zero-knowledge architecture means in practice. The developers know the app exists on your phone. They don't know what's in it. They can't know, because the architecture makes it impossible.