Comment by hot_gril

It's not a big expensive task to look at what data an app is sending/receiving. Anyone with minimal reverse-engineering skill will know how to intercept HTTPS to/from their own phone in 5 minutes. Signal uses some other protocol, but it's also doable, also it's open source anyway.

The conclusion isn't that Signal should be closed-source, it's that Signal's servers should not trust the clients not to be tampered with. So after 90 days, they will remove phone numbers from the protocol for users who have hidden them, breaking old clients, which is fine. What is the alternative solution you're thinking of?