And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
Other apps may have code published in a repository, but the path from repository into the Play Store onto my phone is not clear. How do I know that they don’t add extra tracking code on top during the build and release to the Play Store? With for example a popular alternate app, Signal?
You don’t have to use the Play Store. You can either compile Signal yourself or use a trustworthy 3rd party build of Signal. Personally, I use Molly. It’s Signal for Android but with some neat tweaks. It’s not even available on the Play Store, it’s exclusive to F-Droid and Accrescent. You can’t do any of this with proprietary garbage like WhatsApp. Neither can you modify it to add features, nor can you look at the source code or compile it yourself.