Signal can add backdoors to their own app and, if the app get compromised (or the device) the security of the encryption model is not relevant. It’s the reason because I see comparable Signal and Telegram.
Signal is open source, but (info based in this 3 years old thread on f-droid):
- Have binary blobs and propietary dependencies.
- Don’t let reproducible builds.
- It’s hostile to forks (they blocked libreSignal from their servers)
- Don’t want independent builds from f-droid (nor any fork in f-droid)
Which no seems FOSS friendly.
I agree that signal has a more robust security model. What I mean is that itbhasbalso habe risks, and a lot of people are ignoring it.
The backdoor could be a sleeping function activated from outside to targets of interest or ‘special’ updates from the google store (i.e.: with the help of google install a different version of the app to the target). But I’m not a security nor android expert, and it’s all theoretical if this attack vector is possible, but I think that is unlikely.
Also, if the NATO country where I live wants to spy my mobile, it would use Pegasus 🤷🏽♀️
Off topic: The Signal reproducible builds don’t work since, at least, may.