If we take your TLDR at face value, then the result is in no way specific to Signal. Threema, Session, Matrix, Briar, RocketChat, and any other messenger (including the closed source ones) would be equally affected. For that matter, so would Keybase, any encrypted e-mail provider you access from your phone, your VPN (personal or paid) … everything.
Given that, singling out Signal in the post title is clickbaity at best. If I’m putting on my <tinfoilhat> it could be seen as an attempt to drive people to less secure options by scaremongering the one that provides the most protection.
But if we make the assumptions you suggest, why stop there? An undisclosed vulnerability needn’t be limited to stock Android - any fork is potentially vulnerable. And why aren’t they calling for LUKS backdoors? Or the elimination of VPNs? Or … </tinfoilhat>
The reality is that there is another axis to security this type of all-or-nothing aproach to security ignores - how interested are they in you as a target. When that is factored in, the conclusion is that the use of encryption as secure as possible wherever possible helps everyone, because:
- Most approaches to retrieving that data take time and effort to apply. The governments have vast resources, but not unlimited, so they pick their targets based on priority. More people using encryption helps with this.
- The more often they use a backdoor or vulnerability, the more likely they are to be caught at it. So they will probably save it for higher priority targets. More people using encryption helps with this.
- High priority targets remain vulnerable to the hammer attack. With governments, this more often looks like terrorism charges, tax audits, obvious surveillance for intimidation, etc. In extreme cases though, everything up to and including disappearing and assassination are on the table. This one encryption doesn’t help with.
TLDR: Even if true (big if), this type of scaremongering is unhelpful at best, and probably counterproductive. Name checking the most secure option when the threat model applies to any possible messenger is clickbaity and definitely counterproductive.
Except that I didn’t accuse you of clickbaiting - I pointed out that the style was similar and has unfortunate consequences.Because the headlines we’re used to reading are so pervasively clickbait, it’s an easy trap to fall into because that’s how we’re used to seeing things titled.Edit: On rereading my comment - yeah, that did come off pretty confrontational. Signal gets a lot of bad-faith criticism from people pushing alternatives that are provably less secure, so it’s a knee-jerk reaction for me at this point. In my defense, there’s a reason the more confrontational statements were in a “tinfoil hat” tag - it was meant to make clear they were not literal accusations.