Dissidents in places like Iran have already been attacked through weaknesses in secure messaging systems. No, I think you're on the wrong side of this argument.
And dissidents have been attacked through holes in iOS too.
I generally accept Moxie's / OWS's argument that upstream, patched Android with Google services and spyware/backdoor and all, is in general more secure than running a hodgepodge of FOSS software on a rooted phone - especially for less technical minded users (ie: almost everyone if your target market is everyone).
I don't think it follows that a transparent platform running fully open and user-controlled software, perhaps backed by some form of web-of-trust cacert-like CA system can't ever work - and might not be a good idea to have available as a fallback if it turns out that the anti-democratic paramilitary organization you have to fight is one backed by the NSA.
I'm a little surprised how polarized these discussions tend to get - as if two ideas have to be mutually exclusive.
I think I understand OWS reasoning with locking down their network and forcing phone number IDs - I don't really agree - but I understand the reasoning behind it.
It's really on all of us that care about open federated protocols to set up an alternative network, and OWS have even graciously provided source code and a protocol as a starting point - but it's a shame that rather than some email-like model where all systems could federate in a predictable way, we are forced to have three different networks (a hypothetical open-signal, signal and whatsapp).
I guess there's a lot of people that are still sore about Facebook and Google discarding XMPP, and breaking the unification trend that we saw a glimmer of a few years back. Even without federation, I could have one sane XMPP client, with OTR support, and chat both to my non-technical friends on gtalk and facebook - and have encrypted chats over those same servers, or through the federated XMPP network.
Now I have some people in Facebook's silo, some in Google's Hangouts silo, still quite a few on SMS/regular phone service, and a handful on Signal. That's not really the fault of OWS - I actually have a few non-technical contacts I can reach via Signal thanks to their focus on a simple SMS-replacing app. I just still wish I could cut back on the number of clients and have some sane federation.
But fixing the client when the host is still insecure/unknown is just going to move the target. If messages are secure, governments are just going to move to the OS-layer.
So you have two attack vectors, the OS host and the client application; why is it bad to secure the client? It doesn't ADD any attack vectors. What is the point in saying "Let's not secure the client software until the OS is secured"? It isn't like these are the same people working on the problem; Moxie isn't going to suddenly start working on securing iOS if he isn't working on OWS.
I don't disagree with you. This is a multi-pronged problem and we need multi-pronged solutions. I just think the OS is a higher priority than a texting-client
