Can an entity not claim "Look at our source code and see for yourself" while at the same time run code that is altered slightly to spy on its users.
The idea here is typically client vs server
You run the open source client code, which handles the encryption, then pass it to the server (which purports to be the same as the open source code that is published) which essentially just acts as a coordinator / message passer. Very high level.
Of course, there are ways this breaks down:
Server code is not the same as the open source code, and has been altered to either keep more logging (where and when messages are going, but not necessarily whats in them), or store messages for later attempts at breaking the encryption
The client code is not actually the open source code, in the case that it came from a marketplace of some sort and depending on if/how it was signed/hashed
Operating system - I'm assuming you're running the app on some sort of device with an OS
There are ways to secure against some or all of these, but each step takes more effort, usually for both the sender and receiver (i.e. sending messages as encrypted attachments, using relays/proxies, etc)
And, in general, just assume that these things are happening and act accordingly
The idea here is typically client vs server
You run the open source client code, which handles the encryption, then pass it to the server (which purports to be the same as the open source code that is published) which essentially just acts as a coordinator / message passer. Very high level.
Of course, there are ways this breaks down:
There are ways to secure against some or all of these, but each step takes more effort, usually for both the sender and receiver (i.e. sending messages as encrypted attachments, using relays/proxies, etc)
And, in general, just assume that these things are happening and act accordingly