The Verifiable Capture Stack Comes Into Focus

Stephen Webber

7 min read
Share
The Verifiable Capture Stack Comes Into Focus

A free iOS SDK, in-camera signing on flagship cameras, default-on C2PA on Pixel 10, and a benchmark showing detection breaks under trivial perturbations. The building blocks of Succinct's "prove what's real" media stack are coming together.

From Detection to Proof

In late February, Succinct Labs released a benchmark called AdversIm. It put 15,630 images across eight fraud-relevant categories (including receipts, delivery proofs, news photos, and identity documents) through seven leading commercial AI-detection services. On unmodified AI-generated images, the strongest detectors caught more than 90% of fakes. After the team applied basic post-processing like a slight blur, mild noise, or JPEG recompression, those same detectors collapsed to 36%, 11%, and 13% accuracy. The perturbations were the kind anyone with a phone and a basic photo editor could apply. The dataset and code are open-sourced.

The moral of this story is that AI detection isn't feasible because defenders confront an unbounded space of possible attacks across every generator and every transformation, while attackers need only one successful evasion. That isn't a problem better classifiers fix.

Two months later, on April 23, Succinct released Zcam, a free iOS camera app and SDK that takes the opposite approach. Instead of asking "is this image fake?", it lets the image assert "this is real."

How verifiable capture works

When a photo is captured, the device computes a cryptographic hash of the raw pixel data. A signing key generated and stored inside a tamper-resistant hardware module (a secure enclave, secure processing unit, or equivalent) signs that hash. The signature, along with metadata and a hardware attestation, is packaged into a C2PA manifest embedded directly in the file.

C2PA is the operative acronym here. The Coalition for Content Provenance and Authenticity is the open standard developed by Adobe, Microsoft, Google, OpenAI, Intel, the BBC, Truepic, and dozens of other organizations. It defines the manifest format, signing semantics, and trust framework. Almost every serious effort in this space is C2PA-compliant, and the recent C2PA 2.0 release added more rigorous metadata standards and security protocols. Succinct joined the coalition in November 2025.

What differs across implementations is where the signing happens, what hardware roots the trust, and what additional layers sit on top.

The current landscape

Hardware cameras with built-in signing. Leica's M11-P, released in October 2023, was the first camera to ship C2PA. Sony's A1 II, A9 III, and A7 IV bodies support it via a paid firmware upgrade ("Camera Authenticity Solution"). Nikon's Z9, Z8, and Zf bodies received C2PA firmware through partnerships including with the Associated Press, which ran field trials of signed wire photography. Canon's EOS R1 and R5 Mark II support it as well; Canon sits on the C2PA steering committee. These cameras are nice. They're professional gear for newsrooms and accredited photojournalists. To see how this implementation works, you could look at Nikon's design to see how they put the signing key in a Secure Processing Unit on the main processor board, so even physical access to the camera doesn't yield a forgeable key.

Smartphones at the OS layer. Samsung's Galaxy S25 (early 2025) was among the first major smartphones to ship C2PA, using the Snapdragon 8 Elite's secure processing unit. Google's Pixel 10, announced in September 2025, raised the bar such that every photo from the Pixel Camera app is signed by default, the implementation achieved C2PA Assurance Level 2 (the highest currently defined), and signing leverages the Tensor G5 chip, the Titan M2 security chip, and Android StrongBox for "tamper-resistant" key storage. Pixel 10 also includes an on-device trusted timestamping authority and uses one-time-use cryptographic keys per photo for unlinkability.

Software SDKs. This is where Zcam slots in, alongside two longer-running competitors. Truepic, a founding C2PA member, ships a proprietary SDK (iOS and Android) that replaces the native camera, signs photos with hardware-backed Apple Secure Enclave or Android Key Attestation, and chains certificates through Truepic's certificate authority. Truepic's customer base includes those in insurance, lending, and identity verification, and the company has a chipset-level partnership with Qualcomm's Snapdragon 8 platform.

Numbers Protocol's Capture, founded in 2020, combines C2PA with the ERC-7053 blockchain standard for IP provenance, leaning into creator economics and content monetization. Numbers Protocol's product suite includes Capture Cam, an SDK, a search engine for digital media, and decentralized storage.

Zcam joins this layer as an open developer toolkit. Any iOS app can integrate the Zcam SDK to add C2PA-signed capture, with the same Apple App Attest hardware roots that Pixel 10 leverages on the Android side. An optional zero-knowledge proof layer, generated using Succinct's SP1 zkVM, wraps the App Attest verification in a privacy-preserving form. A verifier can confirm that a photo came from a genuine iPhone running a Zcam-derived app, without seeing the underlying device-specific attestation data.

What's distinctive about the SDK approach

Pixel 10 and Samsung S25 are likely to do more for ambient C2PA coverage at scale simply because provenance ships on by default for every photo. The interesting question is what happens when a free, open SDK puts hardware-rooted verifiable capture in the hands of any iOS developer.

A few application contexts:

Insurance claim photos. Insurers already accept policyholder-submitted damage photos through mobile apps, and AI-generated damage photos are an emerging fraud vector. A claim photo that proves it was captured by a real iPhone running the insurer's official app, at a specific time, and has not been altered since is materially more useful to an adjuster than an unverified JPEG. Truepic has run this play in enterprise insurance for years; the open-SDK option could make it available to insurers who don't want to license a proprietary stack.

Gig-economy delivery confirmation. A DoorDash driver was banned this spring after submitting an AI-generated delivery photo, and fraudulent delivery photos have plagued the broader gig-work category despite biometric KYC at sign-up. Provenance-verified capture at the delivery point addresses the problem at the evidence layer rather than the identity layer.

Field journalism. A war correspondent's iPhone photo and a generative AI prompt currently produce indistinguishable JPEGs. C2PA-signed capture from a credentialed journalist's device, combined with the news organization's existing identity infrastructure, gives readers a verifiable chain from the scene to the published story.

Identity and KYC. Synthetic-identity fraud has grown alongside generative AI's capabilities. A cryptographically signed selfie or document capture, hardware-rooted to a real device, eliminates an entire class of attack on the document-upload step.

Legal and chain-of-custody contexts. Hardware-bound provenance creates a stronger evidentiary foundation for digital media in legal proceedings. The standards work here is still maturing, but the cryptographic primitives are in place.

For practitioners building or evaluating systems where photo evidence matters, a useful mental model is to choose the integration approach that fits the workflow: hardware cameras for high-end professional capture, smartphone OS-level signing for ambient coverage of everyday content, and software SDKs (proprietary or open) for application-specific verification at evidence-bearing moments. Zcam adds a credible open option to the SDK layer with a privacy-preserving ZK extension that no other competitor currently offers.

Edge cases worth tracking

A few details are worth understanding, since they shape what verifiable capture can and cannot do today.

Editing breaks the proof. Across every implementation, the signature is over the hash of the original image bytes. Cropping, recompression, color correction, or any other edit changes the bytes, the hash, and the signature. C2PA edit manifests can record the edit history, but the underlying capture signature won't survive arbitrary modification. Zcam's documentation describes some watermarking work that could help photos survive cropping or metadata stripping in distribution; that work isn't yet shipped, and some early news coverage of Zcam may have somewhat overstated the survivability properties of the current ZK-proof layer relative to what the SDK docs describe. The actual function of Zcam's optional ZK layer right now is privacy of attestation details.

Metadata stripping in distribution. Most consumer platforms strip C2PA metadata when users upload images. LinkedIn has first-class support for Content Credentials; most other major platforms do not yet. The Pixel 10 launch will create real pressure on platform-side adoption, and the gap between "capture is signed" and "the signature reaches the viewer" is one of the more interesting near-term coverage problems to watch.

Photo-of-photo attacks. None of the current systems claim to defeat physical replay attacks — pointing a verifying camera at a screen displaying a synthetic image. Some implementations include contextual metadata (subject depth, lighting, focus characteristics) that could flag suspected replay, and Truepic markets a "Controlled Capture" technology aimed at this. It's an active engineering problem.

Jailbroken or rooted devices. Hardware attestation breaks down on tampered devices. Zcam's docs explicitly note no support for jailbroken devices and discuss jailbreak/root detection as a defensive layer. This is a known limitation across the entire mobile attestation category.

Specification-implementation gaps. Independent researchers identified real failure modes in Pixel 10's C2PA implementation shortly after launch. Manifest UUIDs and various metadata fields can be modified without invalidating the signature in some configurations, and the manifest's signer certificate is name-based ("Google LLC"/"Pixel Camera") rather than uniquely device-identifying. The visual content is signed; the metadata describing the visual content has more room than expected. Google's implementation is still the most ambitious mobile C2PA deployment to date, and these are the kind of specification-implementation gaps that get closed in subsequent iterations.

Where this goes

Hardware roots of trust are now standard across smartphones and professional cameras. The C2PA specification has matured to 2.0 with broad coalition backing. Software SDKs offer integration paths for any application that handles photo evidence. And on the proving side, the demonstration that a standard iPhone can generate cryptographic proofs at capture time without perceptible delay validates an architectural bet that's been gathering momentum for several years.

Detection paradigms hit a ceiling that "prove what's real" approaches don't. Every additional layer in the verifiable-capture stack, like hardware enclaves, native OS signing, software SDKs, ZK privacy primitives, and the C2PA standard moves the equilibrium further toward provable origin. That's the direction of travel, and the past six months have produced more concrete progress along that direction than the previous several years combined.

Read more

Three architectures for confidentiality on public blockchains, and what the institutional infrastructure choice looks like in 2026

Three architectures for confidentiality on public blockchains, and what the institutional infrastructure choice looks like in 2026

Every major custodian, market maker, and stablecoin issuer evaluating public-blockchain rails this year is implicitly choosing among three architectures for confidentiality: operator-controlled environments anchored to a public chain (Tempo Zones), client-side zero-knowledge proofs (Aztec), and fully homomorphic encryption (Zama). Each forces a different conversation with regulators, carries a different failure