# Tella > Encrypts photos, video, and audio on capture. Hides files on-device. Captures verification metadata for evidence. Works offline. **Source:** https://fieldwork.news/tools/tella **Official site:** https://tella-app.org **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** AES-256 encryption in CTR mode with PBKDF2 key derivation encrypts all captured media at rest. TLS encryption in transit for all server connections. Subgraph security audit through OTF Red Team Lab found only low-to-medium severity issues — no critical vulnerabilities. Android camouflage hides the app behind a functional calculator. Verification mode captures forensic metadata (file hash, GPS, device ID, cell towers, WiFi networks) for evidentiary integrity. Quick delete enables emergency data destruction. Fully open source with a dedicated FOSS version that strips all proprietary dependencies. Local-only by default — no data leaves the device without explicit user action. Built and maintained by a 501(c)(3) nonprofit with OTF grant funding and a published security audit. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Last reviewed:** 2026-04-03 - **Threat level:** high-risk > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists and human rights documenters operating in hostile environments where phone seizure is a real risk. Citizen journalists at protests. Electoral observers. Activists documenting violations in conflict zones. Anyone whose captured media could endanger themselves or their sources if discovered. ## Editorial take Tella is the only mobile app purpose-built for capturing and hiding evidence on a phone. Built by Horizontal, a US-registered 501(c)(3) nonprofit (EIN 83-1782268) with a distributed team across seven countries. The core problem Tella solves: a standard camera app saves photos and videos to a gallery visible to anyone who picks up the phone. Tella encrypts every file the moment it is captured — AES-256 in CTR mode, keys derived via PBKDF2 — and stores everything in an encrypted container invisible to the phone's gallery and file explorer. On Android, two camouflage modes hide the app itself: it can appear as a fully functional calculator (entering the PIN opens Tella), or its name and icon can be changed. iOS cannot camouflage due to platform restrictions. Verification mode captures forensic metadata on every photo, video, or audio recording — file hash, GPS coordinates, altitude, device ID, cell tower identifiers, nearby WiFi networks, and timestamps — exportable as CSV for evidentiary use. Quick delete lets users wipe all files, server connections, or the entire app from a homescreen slider. Works fully offline; internet is only needed to upload to connected servers (Tella Web, Uwazi, Open Data Kit, Google Drive, Nextcloud, Dropbox). Available on Android (Google Play, F-Droid, direct APK) and iOS. The FOSS version on F-Droid strips all proprietary dependencies including Google CrashLytics and Firebase Analytics. Subgraph audited Tella through the OTF Red Team Lab and found only low-to-medium issues; remediation recommendations were provided and deployed. Localized into Arabic, Burmese, French, Portuguese, Russian, Spanish, Vietnamese, and more. Used by digital security trainers in Sub-Saharan Africa, indigenous communities in Brazil documenting land rights violations, and protest documenters in Indonesia. Tella is not a communication tool — it is a capture-and-protect tool. Nothing else does this specific job. ## Best for / not for **Best for:** Documenting human rights violations, police violence, or electoral fraud in environments where phones are searched or seized. Capturing verifiable photo/video/audio evidence with forensic metadata. Offline evidence collection in conflict zones or areas with no connectivity. Submitting documentation to organizations running Uwazi, ODK, or Tella Web servers. **Not for:** Secure messaging (use Signal or Briar). Daily photography or casual use — the encryption adds friction. Large file transfers over 20MB to Nextcloud servers (known size limitation). Anyone expecting iOS camouflage (not possible due to Apple platform restrictions). ## Pricing - **Pricing:** Free. Open source (MIT license for Android, Apache 2.0 for FOSS version). - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local by default. All data is encrypted on-device and never leaves the phone unless the user explicitly uploads to a connected server. Server jurisdiction depends on the deploying organization — Horizontal does not host or control user data. If Horizontal is contracted to manage a server, it has access as a partner to the deploying organization but states it does not disclose data to third parties. **Privacy policy TL;DR:** No personally identifiable information is collected. No user data is disclosed, shared, or sold. The Google Play version includes two trackers (Google CrashLytics and Firebase Analytics) — the F-Droid FOSS version and iOS version include zero trackers. Optional privacy-preserving analytics (disabled by default) collect aggregate usage data like unlock counts and file counts. Deploying organizations that run servers own and control the data submitted to those servers. Horizontal provides the same privacy standard to all users regardless of location. **Practical mitigations (operational guidance, not optional):** Use the F-Droid FOSS version to avoid all proprietary trackers. Enable verification mode in settings before capturing — it is off by default. After importing files into Tella, manually delete the originals from the phone's gallery, because import creates an encrypted copy but leaves the original unencrypted. Do not export files from Tella unless necessary — exported files lose encryption. On Android, know that the app is still visible in Settings > Apps even when camouflaged. Set a strong password lock rather than a simple PIN or pattern. Configure quick delete before entering the field. Test server connections and uploads before deployment in hostile environments. Keep the app updated — Horizontal ships fixes through OTF-funded security improvements. ## Ownership & business - **Owner:** Horizontal (US-registered 501(c)(3) nonprofit, EIN 83-1782268) - **Funding model:** Grants from Open Technology Fund (Internet Freedom Fund, Red Team Lab security audit). Grant-funded nonprofit model. - **Business model:** Nonprofit. Free. No revenue model, no ads, no data monetization. Sustainability depends on continued grant funding. - **Open source:** yes - **Built for journalism:** yes **Known issues:** Google Play version includes two trackers (CrashLytics and Firebase Analytics) — use the F-Droid FOSS version for zero trackers. Camouflage is Android-only; iOS cannot hide or disguise the app. Even camouflaged on Android, the app appears in Settings > Apps as 'Tella'. Importing files creates an encrypted copy but the unencrypted original remains on the phone. Exported files leave the encrypted container and are accessible to anyone with the device. Nextcloud uploads are limited to 20MB per file on Android due to a known Nextcloud issue. Quick delete (full app removal) is unavailable on some Android phones and all iOS devices. PBKDF2 iteration counts are a pending improvement acknowledged by the development team. The 88 GitHub stars on Tella-Android suggest a small development community relative to the tool's importance. Grant-dependent funding creates long-term sustainability risk. --- Canonical HTML: https://fieldwork.news/tools/tella Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology