Tella

Encrypts photos, video, and audio on capture. Hides files on-device. Captures verification metadata for evidence. Works offline.

Personal security

Built for journalismOpen source

Strong

https://tella-app.org · Reviewed 2026-04-03 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about Tella?

Tella is the only mobile app purpose-built for capturing and hiding evidence on a phone. Built by Horizontal, a US-registered 501(c)(3) nonprofit (EIN 83-1782268) with a distributed team across seven countries. The core problem Tella solves: a standard camera app saves photos and videos to a gallery visible to anyone who picks up the phone. Tella encrypts every file the moment it is captured — AES-256 in CTR mode, keys derived via PBKDF2 — and stores everything in an encrypted container invisible to the phone's gallery and file explorer. On Android, two camouflage modes hide the app itself: it can appear as a fully functional calculator (entering the PIN opens Tella), or its name and icon can be changed. iOS cannot camouflage due to platform restrictions. Verification mode captures forensic metadata on every photo, video, or audio recording — file hash, GPS coordinates, altitude, device ID, cell tower identifiers, nearby WiFi networks, and timestamps — exportable as CSV for evidentiary use. Quick delete lets users wipe all files, server connections, or the entire app from a homescreen slider. Works fully offline; internet is only needed to upload to connected servers (Tella Web, Uwazi, Open Data Kit, Google Drive, Nextcloud, Dropbox). Available on Android (Google Play, F-Droid, direct APK) and iOS. The FOSS version on F-Droid strips all proprietary dependencies including Google CrashLytics and Firebase Analytics. Subgraph audited Tella through the OTF Red Team Lab and found only low-to-medium issues; remediation recommendations were provided and deployed. Localized into Arabic, Burmese, French, Portuguese, Russian, Spanish, Vietnamese, and more. Used by digital security trainers in Sub-Saharan Africa, indigenous communities in Brazil documenting land rights violations, and protest documenters in Indonesia. Tella is not a communication tool — it is a capture-and-protect tool. Nothing else does this specific job.

Best for

Documenting human rights violations, police violence, or electoral fraud in environments where phones are searched or seized. Capturing verifiable photo/video/audio evidence with forensic metadata. Offline evidence collection in conflict zones or areas with no connectivity. Submitting documentation to organizations running Uwazi, ODK, or Tella Web servers.

Not for

Secure messaging (use Signal or Briar). Daily photography or casual use — the encryption adds friction. Large file transfers over 20MB to Nextcloud servers (known size limitation). Anyone expecting iOS camouflage (not possible due to Apple platform restrictions).

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction Local by default. All data is encrypted on-device and never leaves the phone unless the user explicitly uploads to a connected server. Server jurisdiction depends on the deploying organization — Horizontal does not host or control user data. If Horizontal is contracted to manage a server, it has access as a partner to the deploying organization but states it does not disclose data to third parties.

Where servers are located — affects which governments can request your data

Security rating Strong

No personally identifiable information is collected. No user data is disclosed, shared, or sold. The Google Play version includes two trackers (Google CrashLytics and Firebase Analytics) — the F-Droid FOSS version and iOS version include zero trackers. Optional privacy-preserving analytics (disabled by default) collect aggregate usage data like unlock counts and file counts. Deploying organizations that run servers own and control the data submitted to those servers. Horizontal provides the same privacy standard to all users regardless of location.

How to protect yourself:

Use the F-Droid FOSS version to avoid all proprietary trackers. Enable verification mode in settings before capturing — it is off by default. After importing files into Tella, manually delete the originals from the phone's gallery, because import creates an encrypted copy but leaves the original unencrypted. Do not export files from Tella unless necessary — exported files lose encryption. On Android, know that the app is still visible in Settings > Apps even when camouflaged. Set a strong password lock rather than a simple PIN or pattern. Configure quick delete before entering the field. Test server connections and uploads before deployment in hostile environments. Keep the app updated — Horizontal ships fixes through OTF-funded security improvements.

AES-256 encryption in CTR mode with PBKDF2 key derivation encrypts all captured media at rest. TLS encryption in transit for all server connections. Subgraph security audit through OTF Red Team Lab found only low-to-medium severity issues — no critical vulnerabilities. Android camouflage hides the app behind a functional calculator. Verification mode captures forensic metadata (file hash, GPS, device ID, cell towers, WiFi networks) for evidentiary integrity. Quick delete enables emergency data destruction. Fully open source with a dedicated FOSS version that strips all proprietary dependencies. Local-only by default — no data leaves the device without explicit user action. Built and maintained by a 501(c)(3) nonprofit with OTF grant funding and a published security audit.

Who Owns This

Owner Horizontal (US-registered 501(c)(3) nonprofit, EIN 83-1782268)

Funding Grants from Open Technology Fund (Internet Freedom Fund, Red Team Lab security audit). Grant-funded nonprofit model.

Business model Nonprofit. Free. No revenue model, no ads, no data monetization. Sustainability depends on continued grant funding.

Known issues

Google Play version includes two trackers (CrashLytics and Firebase Analytics) — use the F-Droid FOSS version for zero trackers. Camouflage is Android-only; iOS cannot hide or disguise the app. Even camouflaged on Android, the app appears in Settings > Apps as 'Tella'. Importing files creates an encrypted copy but the unencrypted original remains on the phone. Exported files leave the encrypted container and are accessible to anyone with the device. Nextcloud uploads are limited to 20MB per file on Android due to a known Nextcloud issue. Quick delete (full app removal) is unavailable on some Android phones and all iOS devices. PBKDF2 iteration counts are a pending improvement acknowledged by the development team. The 88 GitHub stars on Tella-Android suggest a small development community relative to the tool's importance. Grant-dependent funding creates long-term sustainability risk.

Pricing

Free. Open source (MIT license for Android, Apache 2.0 for FOSS version).

This is an editorial assessment based on publicly available information as of 2026-04-03, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.