Do you have any other app recommendations?
It's less about picking any one app as the "right" choice and more about having defense in depth.
In no particular order:
Pick the most secure app that meets your needs while realizing that no system is 100% effective 100% of the time (I would use SimpleX myself, for example).
Use a unique username that isn't associated with your daily life in any way. JohnATL74, as a random example, probably tracks back to a male named John, associated with Atlanta in some way, and the 74 is probably a year. Not a lot, but with enough other cookie crumbs, it could be enough.
Use a secure VPN, ideally one with additional obfuscation at the point of egress and no record keeping.
Use a burner device and make sure no other accounts that could act as identifiers are used on that device; the device should only be used with your pseudonym/username.
Disable push notifications and any other device services or apps that you do not need.
Run security and app updates frequently to patch vulnerabilities.
Be sure the device you're using is encrypted; full disk or file-level encryption.
Be sure the device locks after a short time of inactivity.
Require a PIN or password on the lock screen (someone could trick or force you into giving up bio-metrics but a PIN or password is only ever in your head).
Reset your passwords regularly.
If there are manual things that have to be done to ensure continued security, like cycling message queues, then set reminders to do those things.
Use an email service that does not require you to provide and kind of identifiers (or that you can fill with junk data) and only use it with your pseudonym.
Listen for any concerning news about any apps you are using to determine if it's time to burn everything. Yes, the company probably has your info (email address, username, etc.) but if none of it can be traced back to you, and the device is quite literally burned, crushed, or the encryption key is wiped out, there will be very little evidence left.
Scrub the metadata off of any personally created content before sharing.
Wear a mask, cover up identifiers like tattoos, scars, etc. in your content, and don't have the local news or radio stations playing in the background. Don't switch between an eye mask and a face mask, that will make creating a composite image of your full face easy. Pick one, the other, or both and then stick with it in all of your content.
Avoid sharing any kind of location data until you have some way of fully trusting the person on the other end of the conversation.
If you decide to meet, do it in public, preferably outside, and make your "identifier" something that you can take off and pocket easily (e.g. I'll have a green handkerchief in my left shirt pocket). Don't put it on until you have scoped the place for suspicious activity. You're not looking for the specific person you're meeting at this point, just anything that might indicate LEO or anti activity. This lets both parties check the place out before revealing themselves. If it seems safe, raise your flag. If
anything feels off, walk away. Not 100% effective since it's subjective and relies on human observation skill but it's something.
This went a bit past device and app security, but end-to-end encryption only protects you if you also consider the real world risks to yourself.
