surespot cannot see your messages. Every message and image sent using surespot is encrypted and can only be opened by the person you sent it to. Our servers never see your private key so we have no way of decrypting the messages. All anyone else sees is scrambled/ciphertext.
Why? PRIVACY, because surespot is not associated with your phone number or email address, instead you choose a username. Usernames are case sensitive and the only way you will be identified. Passwords can NEVER be reset or recovered.
YOU MUST preserve your surespot identity by saving an encrypted copy to local or cloud storage. Your identity contains your encryption keys and to protect your privacy we do not store them. If you get a new phone or uninstall/reinstall surespot you will need to restore your identity.
From the home screen invite other users, usernames are case sensitive and unique. You can also pop up your QR code and have others scan it.
From the menu choose "share invite link". From there you can choose to send an auto-invitation by email, text or social media. surespot does not mine your contacts to automatically to find other users because we do not store your phone number or email, or any other identifying information. The invitation will direct the recipient to install surespot and then will automatically invite you.
Once a friend has accepted your invitation you can assign a picture or alias to them by long pressing their name on the home page.
Touch a friends name on the home page to open a conversation tab. The first message sent may take a moment as the key exchange occurs. Now the two of you share the secret key that allows you to decrypt each others messages. NO ONE ELSE can decrypt these messages and images, not even us.
Hold down the microphone button to record your voice message, release it to send. A countdown timer lets you know how much time you have left. If the conversation tab is open, a received voice message will play aloud immediately otherwise touch once to play and again to stop.
On Android, surespot uses an open source emoji library that anyone can contribute to. The library is getting bigger all the time. Touch the randomly assigned emoji button (yes, sometimes it is a purple octopus, sometimes a ninja) to pull up the emoji keyboard, touch it again to put it away. On iOS, surespot uses the native emoji keyboard. You may need to enable the "Emoji" keyboard under Settings/General/Keyboard/Keyboards on the device.
You can select a picture to send from within surespot or by choosing share from the gallery (on Android). You can capture a picture within surespot and it will be saved to your gallery. Sent images are locked by default and cannot be saved to the receiver's gallery until you choose to unlock it by long pressing on the sent image.
Messages you send are under your control, when you delete them from your phone they will also be deleted from the receiver's phone and the surespot server. The server limits message storage to 1000 messages, after which it will automatically delete the oldest message as you send new ones.
When you don't want to talk to someone anymore just delete them from your friends list with a long press, this will delete all of your messages to them. If they invite you back you can block them. Blocking will only be removed if you choose to invite them again.
Need to be someone else? Identities on the same device do not share contact lists, preferences or keys. Delete the identity when you are done and all your messages get deleted, from everywhere.
You can move your surespot identity from device to device or have it open on multiple devices simultaneously by backing up the identity on one device and then restoring it on the other device.
You can choose to save your password in the keychain for easy logging in and quick switching between different identities on the same device. Android users are required to set a PIN or Password for the device if you wish to enable the Keychain function. (You can disable the keychain in surespot settings/global options).
When you establish a friendship the participants exchange a key that can be viewed by long pressing on the friend name. Compare the key you have to the one your friend has to be absolutely sure that you are exchanging messages with your friend and not someone who has achieved a Man-in-the-Middle (MITM) attack. You can regenerate your keys at anytime under Settings/Identity Management if you are concerned about an MITM attack.
If you need to change your password, backup, restore or delete an identity, and generate new key pairs do it here.
Push notification options (sound, vibration, on/off), delete confirmation on/off and select a background image.
I bought it, where did it go? Android- Your voice messaging purchase is associated with the Google Account used to purchase it so if you move a surespot identity to a device that does not use the same Google Account you will not be able to access voice messaging. This is also true if you delete that Google Account from your device. iOS- You need to click "restore" on the voice message screen and you will be prompted for your iTunes password where your purchase record is stored.
No audio detected- The sensitivity of the microphone can be increased by holding down the record and pressing up on the device volume. Some phones have dual microphones that may need to be disabled. Some other applications on your device may have control of the microphone and not allow surespot access until you exit them (eg. Shazam, Talk-to-Text). And finally, check for physical blockage of the microphone by cases or debris.
Android- surepsot uses Google Cloud Messaging (GCM) so a persistent connection to surespot servers is not needed, which would cause battery drain. There are a number of circumstances that may interfere with your device's ability to receive these GCMs and if you are experiencing issues you may try any and all of the following:
~Reboot your phone to reestablish connection to Google Servers.
~Go to Settings/Apps/surespot and check that "Show notifications" is checked on.
~If you have a firewall on your phone, deactivate it.
~Check the device's Advanced Wi-Fi settings to ensure "Keep Wi-Fi on during sleep" is set to Always or Never.
~Check that the device's Data usage/Restrict background data is unchecked.
~Check that your Internet access allows TCP ports 5228-5230 (used by GCM).
iOS- surespot uses Apple Push Notification Service (APN) to notify users of new messages. If you are not receiving notifications of new messages you may try any and all of the following:
~Reboot your phone.
~Go to Settings/Notification Center/surespot and ensure that an Alert Style other than "none" is chosen.
~Badge Notifications, Sounds, Alerts and Lock Screen notifications are turned on under Settings/Notification Center/surespot.
~If you use a proxy server on your Wi-Fi network APNs will not work because they need a direct and persistent connection from device to server.
~Check that your Internet access allows TCP ports 5223,2195,2196 (used by APNs). To check if this is your issue you can turn off the Wi-Fi and see if you receive the push notifications over the network.
Android users with Android 4.3+ will see a notification center pull-down that states "surespot is caching for maximum performance". Google made a modification that now displays a notification for background services that are running. surespot uses the service to cache data like cookies, so that users do not have to log in every single time the app is started. If this notification is a bother you can remove with one of two options- both under settings/global options. You can choose to enable the Key Chain (more info above) or to kill the cache service upon log out. This is not a bug, it is for maximum performance as it states.
Not all encryption is equal. Most messengers provide encryption during message transport using SSL but messages return to an unencrypted form once they reach the server. Other messengers use End-to-End Encryption but store the decryption keys on their servers for ease of use. In either case you would have to trust the server implicitly which has proven problematic when any server operator can be compelled by court order to turn over some or all of the messages and/or keys. Ideally you would not need to trust the server operator- enter surespot, odd for us to promote that you do not need to trust us but it is true!
Data sent using surespot is End-to-End Encrypted with symmetric-key encryption (256 bit AES-GCM) using keys created with 521 bit ECDH shared secret derivation. All that means our servers do not see or hold your keys and the messages you send are encrypted by your device so protected during the entire transport to the receiver, who is the only one who can decrypt the message.
Surespot also enables users to verify the public key fingerprint of friends offline which adds another layer of protection by revealing any MITM attacks.
Every line of the client code used in surespot is made available for inspection / scrutiny and for other developers to contribute to. Linus's law states, "Given enough eyeballs all bugs are shallow." We like to add that all those eyeballs would also see if there was a back door or other way someone could circumvent the security measures applied. Being open source also means that YOU, our users are encouraged to help us implement new features and improve the existing ones. We frequently release updates and invite all user feedback. Check out the respository on GitHub