If the client is properly developed and secured, they cannot break it without shipping an update to that client to change its behavior - which then affects everyone.
E2EE itself as a concept is ridiculous. The word was stolen from networking, end to end, and repurposed for an entirely different and non-sensical context to describe sth completely else. It has to do with "E2EE" because the biggest provided of it, Signal, pushes you to use 'compromised software supply chains' that are iOS and Play Store, evensofar as to spreading FUD about alternative distribution mechanisms, like APKs. That's why you have to go over yourself to find the APK of the App on Signal's website.
I am very suspicious of Signal, for not not being on f-droid, but being on play store.
I'm sure the protocol is fine and all, but playstore can easily be used to compromise everything anyway.
Also I've read many times Bruce Schneier claim that Signal is the most secure communication system that exists, and Whatsapp is the 2nd best, because it (allegedly, but we don't know) uses the same protocol.
Do you think F-Droid is more resilient to malicious influence than Google's Play Store?
I haven't looked deeply into how F-Droid is currently operating, so maybe I'm off here, but isn't it just all on a server run by some random guy in his free time? I love what F-Droid is doing, and I think it has a bright future, but in its current state I would never trust it on any of my devices that I use for anything important.
Also, yeah, it really is super easy to crack open the WhatApp APK and confirm that it is, in fact, using libsignal. That would be kind of a weird thing to lie about, since anyone could quickly call them out on it.
Using libsignal doesn't mean that there is no API to enable a side channel :)
I think that google and apple would just comply and do whatever they are told, while the f-droid guy needs to be hacked and might notice he got hacked, so in that sense it's safer.
Them not being on F-Droid is justifiable because F-Droid app IS less secure than alternatives. It does not use modern Android session installer, which is problematic in many different ways. Granted, there are third party F-Droid apps like Droidify that fix these issues.
