Marck's reaction is full of sincerity. My faith in Facebook has been restored to the level it had before the Cambridge Analytica scandal.
While Signal is open-source, the source code of the server used to make audio calls is not. That by itself is not a large issue aside from availability, since the server hosted by Open Whisper Systems is blocked in some countries. No, the real issue is that the server only accepts connections using Google Cloud Messaging, a function that is offered by the Google Play Services framework.
There are several reasons why people would refrain from installing and using the framework. One is privacy. Google's primary source of revenue is personal information. People who use Signal can be expected to value their privacy. Why else would anybody install it "if they have nothing to hide"? From a security perspective, the Google Play Services framework is closed-source and can update itself silently, without user confirmation. That should ring an alarm bell, since Google could cooperate with or be forced by governments to silently install a backdoor that would compromise the security of Signal (and any other processes running on the Android phone). From a functional perspective, there are Android devices which do not have Play Services or access to the Play Store.
In the famous words of Professor Hubert J. Farnsworth: good news, everyone! An open-source replacement for the Google Play Services framework has been released under the microG project. Also, a fork of Signal named LibreSignal has been released that can be installed through a third-party F-Droid repository.
Alas, the installation of all necessary components (all open-source, of course) is a tough road that cannot be followed by an average Android user. Users who are a bit more technically inclined can follow these instructions to install LibreSignal without Google Play Services.
Read more »