How Confess. Protects Your Confession Data
A Catholic examination of conscience is the most private writing most people will ever do. Confess. is built so that the only person who can read it is you, on the device where you wrote it. This page explains how that works, in plain language, and where the trade-offs are.
Why on-device matters for confession
The Catholic seal of confession is the strongest secrecy obligation in canon law. A priest cannot reveal the contents of a confession for any reason — not to a court, not to a bishop, not to save his own life. The seal is a spiritual obligation that survives the death of the penitent.
The seal binds priests, not apps. We are not a confessor and make no claim to be. But the spirit of the seal — that what passes between a Catholic and God in the act of confession should reach no one else — is the design constraint that shapes everything in Confess.
If your examination of conscience were stored on our servers, it could be subpoenaed. If it were synced through iCloud, it would be subject to Apple's lawful-access processes. If it were uploaded to a third-party analytics SDK, it would be subject to that company's data practices, breaches, and acquisitions. The only way to make the data unreachable is to never let it leave your device.
How AES-256-GCM works
AES-256-GCM is the encryption standard used by the U.S. government for top-secret information. The "256" is the size of the encryption key in bits. The "GCM" is a mode of operation that not only encrypts the data but also detects whether anyone has tampered with it.
In plain terms: when you write a journal entry in Confess., the text is scrambled using a 256-bit key — a number so large that the time required to guess it by brute force is measured in numbers larger than the age of the universe. Without the key, the encrypted file looks like random noise. With the key, it reads back as the original text.
The key for your data is generated on your phone the first time you use the app. We never see it. It is not transmitted, backed up, or escrowed. It exists in exactly one place: the iOS Keychain on your specific device.
How the iOS Keychain protects the key
The iOS Keychain is Apple's hardware-backed secret store. It uses the Secure Enclave — a separate chip on every iPhone — to hold cryptographic keys in a way that even iOS itself cannot directly read. Apps must request access through tightly scoped APIs, and that access is logged and policy-controlled.
Confess. stores your encryption key with the strictest accessibility class iOS offers: kSecAttrAccessibleWhenUnlockedThisDeviceOnly. This flag means three things:
- The key is accessible only when the device is unlocked.
- The key is bound to this physical device. If iCloud Keychain syncing is enabled for other apps, this key is explicitly excluded from sync.
- The key is excluded from iCloud, iTunes, and Finder backups. There is no copy of it anywhere except in the Secure Enclave of the phone itself.
The trade-off, honestly named
The protection that makes your data unreadable to us also makes it unrecoverable to you if the device is lost.
If your iPhone is stolen, dropped in the ocean, or replaced, the encryption key in the Secure Enclave is gone with it. The encrypted files on the device are gone too. Even if those files were somehow exfiltrated and sent to us, we could not read them — we have never had the key.
We could have built a sync system with a recoverable key escrow, like most apps do. We chose not to. The argument is straightforward: a recoverable system is also a compromisable system. If we can recover your key, then a court order, a rogue employee, a breach, or a future change of corporate ownership could recover it too. That is not a guarantee we are willing to extend over the contents of a person's examination of conscience.
The mitigation is simple. The app prompts you to write down a verbal Act of Contrition rather than depending on the journal alone. The Pre-Confession flow is designed to deliver value in a single session. Long-term spiritual growth is not contingent on retention of past examination data — in fact, the Catechism (CCC 1456) explicitly notes that the focus of confession is the present moment, not an archive of the past.
Confess. vs. cloud-based competitors
Most Catholic apps in this category sync data through iCloud, Firebase, or a proprietary backend. There are good reasons to do this — cross-device continuity, account recovery, multi-platform support — and most users are happy with the trade-off. We made a different one.
| Property | Cloud-based app | Confess. |
|---|---|---|
| Data location | App vendor's servers | Your device only |
| Account required | Usually yes | No |
| Subpoena-reachable | Yes | No |
| Recovery if device lost | Possible | Not possible |
| Cross-device sync | Yes | No |
| Vendor can read your data | Technically yes | Technically no |
| Encryption key holder | Vendor (often) | Your phone's Secure Enclave |
| Data after uninstall | May persist on server | Permanently destroyed |
Neither approach is "right" for every Catholic. If iCloud-class privacy is enough for you, the convenience of cloud sync is real. If the contents of your examination should reach no one but God and a priest, Confess. is built for that case specifically.
Confess. is free on the App Store. iPhone, iPad, and Apple Vision.
Download Confess.