The same goes for Telegram. The android client hasn't seen any updates to it's github repo since sep 2016.
And, it is quite easy to verify that WhatsApp's encryption is doing what we think. A friend of mine managed to reverse engineer their protocol in 2012 in less than 24 hours, by himself. And there is quite a big chunk of the computer security market that would disagree with the claim that something has to be open source to be verifiably secure.
No it's not. The fruit is: use a sideloaded Signal which you built yourself if you really need to be secure. If you're not, Signal is still better than Telegram or Whatsapp.
And, it is quite easy to verify that WhatsApp's encryption is doing what we think. A friend of mine managed to reverse engineer their protocol in 2012 in less than 24 hours, by himself. And there is quite a big chunk of the computer security market that would disagree with the claim that something has to be open source to be verifiably secure.