Also, messages are not encrypted by default, and there is afaik no way to encrypt group chats. You have to create a special "secret" chat for the messages to be encrypted.
True, but Tox requires a password for that. Telegram tries to be an alternative to WhatsApp so forcing people to sign up with an account isn't an option.
One doesn't demonstrate security by releasing the source.
One needs to have source released, audited and verified to match prebuilt binaries that are actually used by the unwashed gray masses. Without all three checked for each public build you have zero assurance that you are running a binary built from the released source and that the source doesn't have anything fishy in it.
The only app that checks all three, somewhat ironically, is TrueCrypt. PGPfone checked #1 and #3. TextSecure checks just #1 unless I am missing something, so objectively its "demonstrated security" is exactly the same as that of any another app that simply describes what it does in plain English and has a traffic to prove it.
