The ergonomics of PGP are awful. The author's appreciation of Signal is valid, except for one caveat: what if your phone has malware? That's all your fancy Signal crypto out the window. It's the usual argument of: `A chain is only as strong as its weakest link`.

My point is: there are other factors to consider besides advice like: `Just download Signal and you're golden`.

Edit: I'm referring to people casually saying: `Download Signal and you'll be fine` and not pointing out other OPSEC practices we all need to follow, regardless of threat model. (Not clicking on malicious links sent via SMS etc).

Can you describe a system that is effective when your phone has malware?

I have a little experience with this, designing systems that use TPMs and remote attestation to shut down communication rather than allow forgery or leaks. It’s very delicate to begin with, even if one entity owns all the devices, and unsolved for the general case.

But iOS and ChromeOS seem pretty good.