Gee, thanks for contributing to the conversation and providing a useful alternative.
The only semi-popular better option I can think of is Matrix, but getting people on Signal is already hard enough and using Matrix on a mobile device is (last I checked) far from ideal.
Security is a gradient, not an all-or-nothing. Signal is vastly better than almost every other electronic communication method.
Once its compromised there is no gradient anymore and you never know when things are compromised because three letter agencies will anyway not tell you.
Given the risk of xyz agency, there seem to be only a couple options to me:
- side-load a peer reviewed apk so you can check the sigs and make sure all crypto is being done locally (and to make sure that the implementation is solid)
- manage your own keys like you would with traditional pgp emails. Give your public to your friend. Force them to send anything sensitive using it. Maybe change to symmetric keys from asym but rotate occasionally. But you still have to trust the app you use to do this unless you want to do it manually each time.
Signal has open sourced clients with reproducible builds (on Android) and their encryption library has been reviewed by multiple 3rd parties to great acclaim.
PGP lacks forward secrecy, meaning if a key does get compromised all of your past correspondence is now also compromised.
The only semi-popular better option I can think of is Matrix, but getting people on Signal is already hard enough and using Matrix on a mobile device is (last I checked) far from ideal.
Security is a gradient, not an all-or-nothing. Signal is vastly better than almost every other electronic communication method.