[api]

Everything this article says is true. That being said, it also applies to any regular application that can be upgraded automatically or that's upgraded at all by a third party. Anything you get off an app store can have its code switched out from under it with minimal and routine or in some cases even no user interaction. All someone has to do is compromise the signing key, which is probably not that hard in many cases.

[jtheory]

Sure; but there's a world of difference between communicating with a webapp that claims to protect your privacy even from the NSA (but actually cannot) vs. "any regular application", which makes no such security claims, and from whom savvy users won't expect that kind of protection.

People with important information to communicate that they must protect from the powers that be (quite possibly to protect their own lives) will seek out secure methods; at the same time, the powers they're avoiding will be targeting secure communication methods.

[tptacek]

This application doesn't protect communications from the owners of the application under any circumstances. Forget about the NSA.

[Scaevolus]

Scarily true. The amount of damage malicious actors with keys can do is greatly magnified by the auto-update mechanisms that developers love.

[api]

I have an app with auto-update, and one day I realized that I had (more or less) root on hundreds of users' machines. I'm not special in this regard.

I take fairly strong precautions with my keys: offline storage, encrypted, signing on an air-gapped machine. I'd bet you money that most people aren't so careful. There are probably a lot of secret signing keys sitting in DropBox.