I would not believe that the central server has all of the shared secrets. One possible solution is to hash the shared secret and send it to the central server. When someone wants to connect, just hash the key given and send it to the central server. You would get back a list of peers and then connect to them using encryption. The only problem is possible brute forcing of hashes. There are probably other ways of doing it.
Yes, I hope they hash the secrets (and I guess someone could monitor the network traffic from the client to tell).
Also, if someone did have the master list of hashed secrets, they might still be able to manipulate their own client to send the hashed secret back to the server and gain access.
Being closed source, it's hard to know what the potential vectors are (granted, Dropbox is also closed source).
You are correct that it's hard to judge security when the application is closed source. However the in the model we are suggesting, having the hashed secret would not be sufficient to get access to the files. Although you could use it to find client's IP addresses you would not be able to connect with it. The reason being that the secret key would be the base of any encryption between clients.
