> The cryptography in this system does not appear to be safe.
While one of the fundamentals, I think it's fair to say that swapping out cryptosystems is 0.1% of the work, or if the communication system needs to be redesigned, 1%. There goes a huge amount of work into designing and building all the rest.
Whaaaaat. No way man. Especially if this gains critical mass before it's production-ready for whatever reason (who knows why Farmville and GroupOn hit when they did -- right place, right time) it's nothing short of irresponsible especially without a way to effectively declare the system compromised and pull the plug.
Not only that but there are real social implications in having a system that even drops the word "end-to-end encryption" in its phrasing with the whole "Why Johnny can't have crypto" adoption problem. The average engineer rarely reads the docs, my mom would never read the README.md despite the fact that it explicitly says it's not production ready. That bitter taste is left in ones mouth for years (eg. people still associate Microsoft with unstable, insecure junk a la WinME (or unstable junk like Vista RTM [SP1 was fairly stable, but Vista still is a joke]). If this is Johnny's first exposure to crypto and he's using it to Tinder girls on the side, he's never going to trust crypto again.
Push comes to shove rolling your own crypto is completely irresponsible. There are plenty of 'alternative internet' solutions out there that are doing the responsible thing and following the conventional protocols (i.e., using libraries that have been heavily vetted by those with graduate degrees in cryptography, have protocols to revoke/expire your keys in place, WoT's, etc.)
RE: Designing and building the rest -- just like one should use someone else's crypto libs, there are already tons of 'alt-internet' infrastructures that exist which do something similar. It doesn't have the novelty of a mobile app, but most of them do have the cryptographic security to make up for it. Just to name a few-- https://cryptosphere.io/ uses libsodium, https://github.com/okTurtles/dnschain is based on GPG and standard PKI, https://wiki.enigmabox.net/ (I've only audited the cjdns server but it looks real solid, granted my specialty of mathematics is a whole different branch so I'm not even close to an authority, other than I know enough not to roll my own). Then of course there's all of the Moxie-type projects out there which I'll be damned if they've got any holes in there, the dude is of DJB meticulousness
Edit: Yeah basically what Thomas said below me, re: the responsible thing to do is to advertise it as a product with no cryptography in place. Apologies for the knee jerk reaction, but secure communication is something I've felt awfully strongly about, as exhibited by my post history pretty clearly.
While one of the fundamentals, I think it's fair to say that swapping out cryptosystems is 0.1% of the work, or if the communication system needs to be redesigned, 1%. There goes a huge amount of work into designing and building all the rest.