Would be interesting to dump the app binaries so people can take a look at how its put together, I suspect its a minefield of sloppy injection functions into how signal works.
I felt the writer implied open source code was a bad/insecure thing, since they downloaded a zip file from some WordPress upload folder. I'm guessing the code was being made available to companies that "legally" obtained TM-SGNL.
Source: I'm the admin who installs TM-SGNL for many users.