If they could surveil the device to see the PIN being entered then no app would protect them.
My Signal only asks for a PIN about once per month so that would be a lot of screen surveillance hours to sit through in order to catch that moment.
More likely is that it was fixed since the breach but I cannot find release notes (hard to search on my phone).
SimpleX is decentralized, requires no phone number, based on Signal code. Screws up invitations via FB/Messenger though.
Regarding the trick of an adversary gaining access by emailing or SMS’ing a QR code for adding another device…
Why does the new device not demand the PIN before being added?
“The only metadata that Signal would have access to, is the phone number used to register, the date of initial registration, and the date of last use.”
https://www.reddit.com/r/signal/comments/exd92f/what_kind_of_usermessage_metadata_is_observed_and/
In case people only saw the headline…
The sale is because a breach already happened: “hackers obtained personal data of about seven million of its customers in October 2023”.
They cannot afford the lawsuits.
I use the Signal a lot and have never been nagged to share my phone number.