Given the risk of xyz agency, there seem to be only a couple options to me:
- side-load a peer reviewed apk so you can check the sigs and make sure all crypto is being done locally (and to make sure that the implementation is solid)
- manage your own keys like you would with traditional pgp emails. Give your public to your friend. Force them to send anything sensitive using it. Maybe change to symmetric keys from asym but rotate occasionally. But you still have to trust the app you use to do this unless you want to do it manually each time.
Signal has open sourced clients with reproducible builds (on Android) and their encryption library has been reviewed by multiple 3rd parties to great acclaim.
PGP lacks forward secrecy, meaning if a key does get compromised all of your past correspondence is now also compromised.
- side-load a peer reviewed apk so you can check the sigs and make sure all crypto is being done locally (and to make sure that the implementation is solid)
- manage your own keys like you would with traditional pgp emails. Give your public to your friend. Force them to send anything sensitive using it. Maybe change to symmetric keys from asym but rotate occasionally. But you still have to trust the app you use to do this unless you want to do it manually each time.
*These don't necessarily solve the Metadata issue