In recent threads about choosing secure messaging services to use on your mobile phone I have seen a number of people recommend the app Surespot. This would be a very poor choice to use as it is extremely likely that the US government has forced the developer to modify the server to intercept messages. While the backdooring was likely done for counter terrorism purposes (blame ISIS), history has shown that once the government has been given a new power it will put it to use against existing problems. Consider the use of "sneak and peek" warrants authorized by the patriot act.
Why suspect Surespot is compromised?
The developer is no longer answering questions about receiving national security letters despite having quickly responded to such questions in the past.. In addition twitter enthusiast and OPSEC guru @thegrugq has tweeted that he has received confirmation of the facts in the article. It is extremely likely that the developers are subject to a gag order that prevents them from informing anyone about the government demands.
You should all watch his OPSEC video. Seriously
The way Surespot is setup allows the developer (or anyone else with access to the server) to generate a new key for a user and MiTM (man in the middle) them to intercept messages in their conversations. They list this as a weakness on their "threats" page.
What app should be used instead?
Use TextSecure (android) or Signal (iOS), messaging apps with real end to end crypto. Both are made by Open Whisper Systems and they are cross compatible, allowing you to talk to anyone using a mobile OS that matters. Both apps are open source, allowing them to be reviewed by security and encryption experts (yes Surespot is open source as well but the dangerous part is on their backend server which cannot be audited). If you dealing you can make a anonymous TextSecure phone by following this guide. Your customers will have to install TextSecure to message you but that is a small price to pay (plus if your number get passed along to randoms their texts and calls will sink into a blackhole).
Won't the same thing happen to TextSecure?
I'm not following the latest trends in Raqqa but hopefully ISIS isn't a big fan of TextSecure. Even if the government does show up with a national security letter, TextSecure has built in protection against this type of attack. TextSecure caches the keys of anyone that messages you and will produce a warning popup if it detects them changing. Additionally TextSecure allows you to verify the key of anyone you are messaging by scanning it with a barcode app. If you do this with each of your contacts that you start a TextSecure conversation with you can be reasonably sure that your conversation will be protected. As the Textsecure and Signal apps are open source any change to remove these protections will be noticed. Turn off automatic updates on your device and wait a day before installing a new TextSecure update. If the update is malicious and weakens the protections it will be all over the tech press.
Who was the user that s all over there forums that always plugged "SureSpot"???
Anyone remember who that was? EDIT Nevermnd its u/Hank_Vendor and u/Vendor_BBMC, might want to change up you opsec a bit and not let everyone know you use that app and also maybe stop?