Image Sanitizer app icon

macOS

Image Sanitizer

Every photo from a phone or camera carries hidden data — the GPS coordinates of where you took it, the device that took it, sometimes a thumbnail of the original pre-edit version. Send the photo, share all of that with whoever receives it. Image Sanitizer reads the hidden data, strips it cleanly, and verifies the result — without touching the visible image. Local-only.

One-time purchase · macOS 11+ Buy Image Sanitizer — £7.99

Why this exists

In January 2018, a 20-year-old Australian student called Nathan Ruser was studying Strava’s newly published global activity heatmap and noticed distinct patterns of jogging routes in remote parts of Afghanistan, Syria and Iraq. Within hours, he and others had traced the perimeters of dozens of US and coalition military bases — revealed by their own troops’ fitness trackers, quietly broadcasting their location for years. The Pentagon changed policy the following week.

That’s GPS data leakage at scale. The same kind of data — exact coordinates, embedded by default — lives inside every photo from every modern phone or camera. Send a photo, share where you took it. In December 2012, the antivirus pioneer John McAfee was arrested in Guatemala after a Vice reporter posted a photo of him with the EXIF GPS data intact; readers extracted his coordinates within hours.

Over a decade later, the hidden data is still there, in every photo, by default. Some social platforms strip it on upload (Twitter, Instagram, Facebook remove GPS); many don’t (Discord, email, Slack, file-sharing services). The only way to be sure is to remove it yourself before the file leaves your device.

Image Sanitizer surfaces exactly what’s in the photo you opened, lets you strip it with one click, and verifies the result before reporting success.

How it works

  • Inspect first

    Pick an image and Image Sanitizer reports every metadata block present and decodes what’s actually in each one — not just “EXIF: 4.2 KB” but the decoded values: camera and lens, capture date, software, and any GPS coordinates. XMP (Adobe edit history, ratings, region tags), IPTC (captions, byline, copyright), PNG text chunks, ICC profile name, and any application-specific blocks are decoded and shown too. Fields that reveal location or identity are flagged.

  • GPS shown on an offline world map

    If the photo carries GPS coordinates, Image Sanitizer plots them on a bundled offline world map so you can see at a glance where the photo would give you away. The map ships inside the app — no tile-server lookups, no network requests, no leak of the coordinate you’re trying to remove.

  • One-click sanitise

    Click Sanitise and the format-specific writer strips every metadata block while preserving the visible pixels exactly. The output is byte-equivalent to the input for the parts that aren’t metadata — same dimensions, same compression, same colour.

  • Verification on every save

    After every sanitisation, Image Sanitizer re-opens the output and confirms zero metadata blocks remain. If anything leaked through, the tainted file is deleted and you see a clear failure — you don’t accidentally ship a file you think is clean.

  • Right-click integration

    Optionally install a Finder Quick Action so you can right-click any image and pick Sanitize with Image Sanitizer. Toggle it on or off from Settings → Finder integration; nothing is installed system-wide without your consent.

  • The original is never touched

    The output is always written to a new path of your choosing (suggested name: <original>-sanitized.<ext>). The input image remains exactly as you opened it.

Supported formats

Image Sanitizer handles the five formats you actually share:

  • JPEG (.jpg, .jpeg)

    Marker-stream walker that skips every APPn and COM segment. The same approach as jpegtran -copy none — no partial-edit risk.

  • HEIC / HEIF (.heic, .heif)

    ISOBMFF box manipulation: EXIF, XMP, and Apple proprietary metadata items are removed in place, padded with free boxes so byte offsets to the image data don’t shift. HEIC is the default format on modern iPhones; this is the most common format with the most aggressive default metadata.

  • PNG (.png)

    Chunk walker that drops tEXt, zTXt, iTXt, eXIf, iCCP, tIME, pHYs, sBIT, bKGD, hIST, and sPLT chunks. The image stream and its CRC are preserved bit-for-bit.

  • WebP (.webp)

    RIFF chunk walker. EXIF and XMP chunks are removed and the VP8X extension flags are cleared so downstream decoders don’t go looking for chunks that aren’t there.

  • TIFF (.tif, .tiff)

    IFD walker with an allow-list: only the structural entries needed to render the image are kept; the rest are filtered out in place and offsets fixed up.

What Image Sanitizer does not do

Image Sanitizer does not redact or blur visible content in the image — it only removes invisible metadata. To blur or black out a face, plate, or other visible region you’ll want a dedicated image editor.

Image Sanitizer does not certify legal or regulatory compliance. It helps remove common categories of hidden data; it doesn’t certify your workflow against any specific standard.

Privacy

Image Sanitizer makes one network connection on first launch to activate your licence key. After that, it makes no further network connections. Images are processed entirely on your device, and the GPS world map is rendered from data bundled inside the app — nothing about the photo, its coordinates, or its existence is sent anywhere. There are no analytics, no telemetry, no servers. See the privacy policy for full details.

Requirements

macOS 11 (Big Sur) or later. Apple Silicon (M-series) Macs. Distributed as a Developer ID signed and Apple-notarized disk image — not via the Mac App Store.

Support

For bug reports and feature requests, see the support page. For anything else, email support@whiteforgetech.co.uk.