this subject came up briefly at the silk meet, which i was happy to attend.
several points should be made: 1. some people expressed concern with installed base of particular apps among the people they want to talk with. of course, this number starts at 0 for any new app. also low installed base might have some advantages in obscurity or just “not being worth the trouble”. yet. remember macs did not suffer malware for many years because the installed base was insignificant, even though in a financially favorable demographic. for me, secret or sensitive conversations happen among very few people, and it should be that way. (the best way to keep a secret is to not share it.) so you don’t have to persuade a lot of people to install a new app if the purpose of it is to have some assurance that, say, two of you are speaking privately. the biggest problem with multiparty conversations is that the main points of vulnerability are the endpoints (either being compromised, or logging the content) rather than the communication security. (for some, such as skype, the key management is enough of a problem now that it isn’t trustworthy by my reckoning.) 2. open source apps are likely to be more secure, since it’s easier to verify design and find design and implementation errors. (of course, if a developer has evil intent, they can distribute a version of the app that isn’t the same as what’s in the source. eventually it will be found that the distributed version doesn’t build from the source and then there will be some ’splaining to do.) closed source apps sometimes have audits done. but remember that skype originally, as written in Estonia, was audited by Tom Berson, an eminent cryptographer, who gave it a clean bill of health. But then a Chinese version was built as a jv and operated by tom.com which turned it into a surveillance app. and then skype was bought by microsoft, who centralized the key management on their key servers rather than having the keys generated on the endpoints. (and, nonetheless, skype continued to feature berson’s years old report on their web site as “proof of security” long after it was applicable to what their code actually did.) 3. here’s a semi-journalistic report on vice which points to some serious issues on whatsapp and telegram: https://www.vice.com/en/article/qj4qjd/whatsapp-data-security-issues <https://www.vice.com/en/article/qj4qjd/whatsapp-data-security-issues> and an actual technical report by dimetrenko and schneider about problems in contact discovery is summarized and pointed to by https://www.eurekalert.org/pub_releases/2020-09/tud-pms091520.php cheers, m.
