Compiling it yourself is not always necessary. If you are able to reproduce the build yourself (and match hashes of the build), you can be fairly certain that the binary is actually secure even if you did not check it yourself. If it was reproducible, some people would check that and point out if the hashes don't match.
You need to have a secure way to get the hashes from the build, though. One way to do it is to fetch the hash from multiple sources (e.g. your mobile phone (not connect over WiFi, of course), your PC (that is connected over Ethernet/WiFi), and maybe a VPN). MITM all these connects at the same time is hard.
If you are super paranoid you could always join an IRC and ask for the hashes. Real-time MITM the traffic is probably close to impossible (the attacker needs to read every message, and then decide to change it vs. just serving a different static HTML page).
Compiling the source code seems pretty useless to me. I do not want to read the 10000 lines of code such an app might use. There might be just a little line inside some auto-generate GUI code that is malicious and sends the unencrypted message to somebody's servers. And sending malicious source code is not that hard, either.
Your essentially argue for network vision for verification.
Keybase is doing a interesting thing were they have a Merkel tree and then they put the root of the Merkel tree into the bitcoin blockchain. When you fetch the tree, you can check the validity on the blockchain.
They could use public key pinning that people are sure to always hit keybase.io and then verify on the blockchain (I must check if they actually have HPKP activated).
An viable attack on that is pretty damn near impossible without actually comprosing the end user device.
An viable attack on that is pretty damn near impossible without actually hacking into the end user device.
You need to have a secure way to get the hashes from the build, though. One way to do it is to fetch the hash from multiple sources (e.g. your mobile phone (not connect over WiFi, of course), your PC (that is connected over Ethernet/WiFi), and maybe a VPN). MITM all these connects at the same time is hard. If you are super paranoid you could always join an IRC and ask for the hashes. Real-time MITM the traffic is probably close to impossible (the attacker needs to read every message, and then decide to change it vs. just serving a different static HTML page).
Compiling the source code seems pretty useless to me. I do not want to read the 10000 lines of code such an app might use. There might be just a little line inside some auto-generate GUI code that is malicious and sends the unencrypted message to somebody's servers. And sending malicious source code is not that hard, either.