And if so, why exactly? It says it’s end-to-end encrypted. The metadata isn’t. But what is metadata and is it bad that it’s not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
It’s not just that. Their app can easily have tracking components that look for the list of installed apps, how often you charge your phone, how often are you on a WiFi network, etc.
Also, the app and any tracking component it has can also freely communicate on the wifi network. That doesn’t only mean the internet, but the local, home network too, where they can find out (by MAC address, opened ports and response of the corresponding programs) what kind of devices you have, when do you have them powered on, what software you use on it (like do you use any bittorrent client? syncthing? kde connect? lots of other examples?), and if let’s say your smart tv publishes your private info on the network, it does not matter that you have blocked LG (just an example) domains in your local dns server, because facebook’s apps can just relay it through your phone and then their own servers.
If the app’s code has been obfuscated, exodus privacy and others won’t be able to detect the tracking components in it.
Are others different, like Signal and how do I know?
As a normal user I install both in exactly the same way, I have no way to verify that the code of the apk on the play store is exactly the same as the code published by Signal as open-source. How could I trust Signal more?
You can only know if you choose to read the code and compile from source. You can trust, in that your read the code and just install the app, or let others read the code for you. If reputable sources tell you it’s good, most of the time it’s good. How can you trust Signal more? Well you… shouldn’t. You could try to use a decompilation tool, don’t know if that works on Android’s apps though.