MITM attack
Created by: blacoste
Key exchange does not prevent from a man-in-the-middle attack.
1/ There is no way to check that the key associated to the contact on the user application is the same than the contact one. The application allow to print our own key fingerprint but not the contacts' one. 2/ There is no way to flag a contact as "authenticated", after a manual verification.
The aim of SMSSecure is to protect the user's privacy against the network operator. But it could implement an automated MITM exploit and make SMSSecure totally useless. Today there is no way to check if this has already occurred on your device because fingerprints can't be checked.