Revoke photo access, permanently
Shared something you regret? One tap and the encryption key is destroyed.
Why “delete shared photos remotely” is not enough
Most apps that claim to let you delete shared photos remotely are relying on the other person’s device to cooperate. Tucked takes a fundamentally different approach.
Remote delete request
The app sends a message to the other device asking it to delete the file. But the file was already decrypted and saved. If the other device ignores the request, or if the person copied the file before, the photo still exists, fully viewable.
- Relies on the other device cooperating
- File may already be saved in plaintext
- No guarantee the file is actually gone
Cryptographic revocation
The encryption key is destroyed on the server. Without it, the encrypted content cannot be decrypted. Without the key, there is no way to decrypt the content.
- Server destroys the key, no cooperation needed
- Decrypted content is never written to disk
- Protects against future access after revocation
How revoking photo access works
Every photo you share gets its own unique encryption key. When you revoke access, that key is destroyed.
You share a photo
Tucked generates a unique Content Encryption Key (CEK) and encrypts the photo on your device before it ever leaves. The encrypted photo is uploaded, and the CEK is sealed to your partner's public key and stored on Tucked's server.
Your partner views it
When your partner opens the photo, their device requests the sealed CEK from the server, unseals it with their private key, and decrypts the content in memory. The decrypted photo is never written to disk. It exists only on screen.
You revoke access
One tap. The server deletes the sealed CEK and the content record, and pushes a deletion signal to your partner's device. Without the sealed key, the encrypted bytes cannot be decrypted.
What this means for you
You stay in control
Every photo and video you share through Tucked remains under your control. You decide who can see it, and you can change that decision at any time. One tap, and access is gone.
After a breakup
Revoke access to everything you ever shared, individually or all at once. The encryption keys are permanently destroyed, and your content becomes inaccessible through Tucked.
Your keys, your device
Your private encryption keys never leave your device. They are protected by Face ID and stored in secure hardware. Even we cannot see your content.
Nothing on disk
Decrypted content lives only in memory and is never written to disk. When you leave the app, cached content is purged. There are no plaintext files to find, anywhere.
Limitations
No app can guarantee perfect protection, and we will never pretend otherwise.
Revocation destroys the key needed to decrypt content. If the key has not been obtained by the time it is destroyed, the content is permanently inaccessible. That is a strong guarantee.
However, while content is being viewed, the decryption key exists briefly in device memory. A determined recipient could attempt to extract it during that window. Tucked minimizes this window: keys are held only momentarily, never written to disk, and content is purged when the app leaves the foreground.
What matters is what happens after that window closes. Once access is revoked and in-memory state is gone, the content cannot be recovered. Revocation is not a request. It is enforced by the architecture.
Common questions about revoking photo access
Once you revoke, the encryption key is destroyed on the server. Even if your partner has a copy of the encrypted file on their device, the key no longer exists for them to obtain. We also push a deletion signal to remove cached encrypted data from their device.
No, it is stronger. Remote delete asks the other device to remove a file, but there is no guarantee it actually does. Tucked's approach is different: instead of asking nicely, it destroys the encryption key on the server. Without the key, the content cannot be decrypted. It does not matter whether the encrypted file is deleted or not.
Tucked uses ChaChaPoly AEAD for content encryption, Curve25519 for key exchange, and HPKE (RFC 9180) for key encapsulation. Your private keys live only on your device, protected by Face ID. The server never has access to your private keys or your decrypted content.
Both. You can revoke access to a single photo or video with one tap. You can also end your entire sharing partnership, which destroys all encryption keys and content at once.
No. Revocation is free and always will be. We will never put your ability to control your own content behind a paywall.
While content is being viewed, the decryption key exists in device memory. There is no way around this. You need the key to view the content. A highly motivated attacker with technical skills could theoretically extract it during that window. However, once you revoke, the key is destroyed on our server. If they haven't obtained it by then, they cannot. Tucked is designed to make this window as small as possible: keys are held only momentarily and never written to disk.
Tucked blocks screenshots as aggressively as iOS allows. When a screenshot attempt is detected, the content is hidden. However, no software can guarantee 100% screenshot prevention. A determined person could photograph the screen with another device. Revocation and screenshot prevention are two separate layers of protection.