I have dealt with numerous requirements from leadership teams concerning secure communications, particularly for publicly traded companies needing secure messaging for their execs/R&D. This has led to several security assessments, including one for a now-dismantled Canadian app. My most recent PoCs with Threema and AWS Wickr were for a client desiring secure, on-premise messaging solutions. Both platforms showed promise with the right setup and dedicated support. Given Wickr's use by the US DOD and other government entities, there's a significant incentive to maintain security, at least against adversaries of the US. Threema, in my opinion, remains the most reliable option for secure communications currently available. Although Signal now offers usernames, its reliance on phone numbers could pose an OPSEC issue. Despite hearing some rumors about Signal, I've yet to come across any verifiable evidence of its compromise.
I take it you're referring to the recent GoFetch incident? My stance is one of cautious optimism. Despite the serious nature of the vulnerability, particularly with the potential for remote access and data leakage, the barriers an attacker must overcome are significant. Moreover, the necessity of physical access to decrypt the device adds another layer of complexity, likely rendering this attack vector impractical for many threat models. Classroom software does raise eyebrows due to its background operations, but there are workarounds, such as startup scripts to terminate the process or tools to block it outright. It's important to consider that for certain threat models, the assumption includes having capabilities to defend against such threats, for instance, through proper monitoring.
You could also keep tabs on
Secure Messaging Apps Comparison | Privacy Matters. While it does not show this from LE perspective, it does give you insight into the security controls of the app.
