5.0SECURITY, PRIVACY, 0 BYTES OUT
The threat model.
Privacy claims are cheap. This page is written the way a threat model should be: what the app stores, where it stores it, who can reach it, and what Anonycord does not protect you from.
Anonycord exists for personal security, documentation, and evidence: recording your own moments, in your own environment, on your own device. That covers a tense encounter you want a record of, a lecture you can’t photograph politely, a dark venue where a lit screen is a nuisance, or an incident where the footage may matter later and a glowing preview would escalate things.
It is not built for, and this project does not endorse, covert surveillance of other people. The discretion exists so that recording your own life doesn’t require announcing it with a lit screen. It is not for hiding a camera from the people you live or work with.
| Data | Location | Who can reach it |
|---|---|---|
| Recordings (library destination) | The system Photos database, optionally in an Anonycord album | Anything with photo-library access; syncs to iCloud Photos if you have it enabled |
| Recordings (vault destination) | Anonycord’s app sandbox, on-device only | Only the vault viewer, behind the system Face ID prompt; invisible to Photos, Files, and other apps |
| Settings | Local preferences inside the app container | The app itself |
| Accounts, identifiers, analytics | Nothing. There is no such data. | No one; it is never created |
The vault viewer is gated behind the system LocalAuthentication prompt, the same Face ID gate iOS offers banking apps. The app declares NSFaceIDUsageDescription in its build settings, and recordings stored in the vault live inside the app sandbox, which iOS encrypts at rest as part of its standard data protection.
Sandbox storage has a sharp edge, stated plainly in the README and repeated here: vault recordings are removed if the app is deleted or a reinstall goes wrong. If a recording matters, use the Both destination for a visible copy in Photos and a private copy in the vault.
Anonycord contains no analytics SDK, crash reporter, advertising identifier, or account system, and no networking layer that could carry footage. None of this is a setting that defaults to off; the code simply isn’t there.
- 0analytics or tracking SDKs
- 0accounts or sign-ins
- 0servers receiving footage
- 0bytes of telemetry, ever
You do not have to take this page’s word for it: the source is public under GPL-3.0, every release is built from that source by a public CI workflow, and you can build the app yourself in Xcode and diff the behaviour.
- A lit screen giving away that you are recording your own surroundings
- Casual inspection of your phone: vault recordings appear nowhere in Photos or Files
- Other apps with photo-library permission reading your vaulted footage
- Cloud exposure of vault recordings: they are never uploaded anywhere
- Someone who can unlock your device and pass the Face ID prompt: the vault is a gate, not a separate cryptographic enclave
- iCloud sync of Library-destination saves: those are normal Photos assets by design
- Forensic extraction of an unlocked device, or legal compulsion to unlock it
- Loss of vault contents if the app is deleted: documented behaviour, not a surprise
Recording laws are real, they vary enormously, and they are your responsibility. Some jurisdictions allow recording anything you can lawfully see or hear; others require the consent of one party, or of everyone involved; audio is often regulated more strictly than video. Know your local law before you press record.
Use Anonycord to document your own environment and your own evidence. Do not use it to record people in places or situations where they are entitled to privacy. A dark screen doesn’t change what the camera and microphone are doing, and it doesn’t change your obligations to the people around you.
- 01
Read the source: jackghx/Anonycord, GPL-3.0, forked from c22dev/Anonycord.
- 02
Watch the build: build.yml on GitHub Actions produces every release IPA from the tagged source, unsigned, with public logs.
- 03
Check the digest: each release asset publishes a SHA-256 hash. Hash your download and compare before you sideload.
- 04
Or trust no one: open
Anonycord.xcodeprojin Xcode and run it on your own device. The simulator can’t use the camera, volume buttons, or Face ID; a physical device is required.