[palata]

> Until next update will send your keys. Do you disassemble every update?

This is actually a big problem with all the web-based stuff where you re-download your client everytime you use it.

Now for an open source mobile app, you can actually compile it from source without having to disassemble. But of course it's not practical to audit it yourself. However, if the same binary is distributed to millions of people, you only need one of them to see the exploit.

If Signal updated the app to send the key, it would do it for millions of people through the Play Store. That's risky. Unless Signal convinced Google to send a specific binary to a specific user of course, but that's harder.