A message no one can see —
except the person it's meant for.
VARO hides an encrypted message inside an ordinary photo. The picture looks completely normal. There is nothing visible to the eye — and nothing a computer can pull out — unless it is opened inside the private tunnel you and your contact created together.
The idea in one sentence
You write a private message, VARO tucks it invisibly inside a normal photo, and only the person you've verified can read it back out — directly on their phone, with nothing stored anywhere.
Step by step
You create a private tunnel with a contact
The first time you connect with someone, both phones agree on a shared secret and show you the same short safety code. You check that the codes match — that's it. From that moment on, only your two devices hold the key to this tunnel.
You write your message and pick any photo
Type whatever you want to stay private and choose a normal picture from your gallery. The photo can be anything — a sunset, a coffee, a cat.
VARO hides the message inside the photo
Your words are encrypted and woven into the image on your device. The result still looks exactly like an ordinary photo. There is nothing visible to see — not to a person, and not to a computer.
You send the photo any way you like
Share it through a chat app, email, anywhere. To everyone else it's just a picture. Even if someone saves or inspects it, they see only an image.
Your contact reads it inside the tunnel
When your verified contact opens the photo in VARO, their phone uses the shared key to reveal your message. Without that tunnel, the hidden message simply cannot be opened.
What this means for you
No accounts. No phone numbers. Nothing uploaded to a server, ever. Once the tunnel exists, only the two parties hold the code that decrypts the message — and the hidden data on the photo cannot be detected with the naked eye or read out by any computer. It is simply an encoding that becomes visible only through the tunnel.
For people who want the real mechanics
VARO combines three well-established ideas — authenticated encryption, error-correcting codes, and frequency-domain steganography — and runs all of them locally on your device. Here is the full pipeline, end to end.
Establishing the tunnel
A shared secret per contact
When two users pair, their devices perform an authenticated key exchange. The resulting shared secret never leaves either device. A short, human-readable safety code is derived from it so both sides can confirm out-of-band that there is no party in the middle.
Verified once, trusted after
Matching the safety code on both phones confirms the tunnel's identity. From then on, the key material is stored only in your device's secure storage and is used to protect every message in that tunnel.
Hiding a message
Authenticated encryption
Your plaintext is encrypted with a modern authenticated cipher (ChaCha20-Poly1305) using a key derived from the tunnel secret. This produces ciphertext that is indistinguishable from random data and is tamper-evident.
Error-correcting code
The ciphertext is wrapped in a Reed-Solomon error-correcting layer (~1.8× redundancy). This lets the message survive the small distortions that normal image handling can introduce, while carrying no readable structure of its own.
Frequency-domain steganography
The protected payload is embedded into the image's DCT coefficients — the same frequency representation used by ordinary photo compression. The changes are spread across thousands of coefficients far below the threshold of visual perception.
An ordinary-looking photo
The output is a standard image file. It opens in any gallery and looks identical to a normal photo. The payload is encrypted, so without the tunnel key there is nothing to extract — only high-entropy data that is statistically inseparable from natural image noise.
Reading it back
Reverse the pipeline, inside the tunnel
Your contact's device reads the candidate coefficients, runs the error-correcting layer, and decrypts the result with the shared tunnel key. The authentication tag must verify — if anything was altered, or the key is wrong, decryption fails and nothing is revealed.
Why it can't be read from the outside
The hidden data is ciphertext, not text. It carries no header, no signature, and no visible pattern. To anyone without the tunnel key, an inspected photo yields only what looks like ordinary image noise — there is no message to find, even with computational analysis. The only place the plaintext ever exists is on the two verified devices, at the moment of writing and reading.
At a glance
No security technology is ever absolute, and VARO is provided without warranties of any kind. See our Terms of Use and Privacy Policy for the full details.