The main site is located here: molly.im
The first paragraphs on the donation page:
The goal is to build a secure messaging app with integrated support for Monero payments and a decentralized backend.
The application will be based on the Signal fork Molly.im (henceforth ‘Molly’) but with a privacy-focused backend that allows the user to sign up anonymously (without phone number), encrypt their local database with passphrase encryption, RAM shredding, and more.
Monero features will include the ability to set up a XMR wallet, send and receive funds, keep track of the balance, and review the history.
From the lead developer: Code that doesn’t get executed cannot be exploited. It’s true that, when exploiting a vulnerability (in reachable code), you can take advantage of everything loaded into the program memory to take control of the execution, including unreachable code. But you’re assuming there’s a prior critical vulnerability in Molly that allows to alter execution flow in the first place
That comment does not make me confident in the developer.
No, the developer is assuming there isn’t such a vulnerability. No one can know if there is or not. Applications are complex, there’s a lot of code, a lot of room for a vulnerability to go unnoticed by even a skilled programmer. OpenSSL was a thoroughly reviewed open-source library that had been widely used for a long time and heartbleed still happened.
Another comment from them: Also consider that Whatsapp and iMessage were exploited by flaws in the multimedia libraries. Should we remove image and video sharing in messaging apps?
The difference is that image and video sharing are actually relevant features for a messenger. While it is possible to have a messenger that can only share text, and have other applications for sharing images and videos, that would significantly impact the UX.
Anything to do with money is not a relevant feature in messaging.
Fair argument