What guarantee is there that the connection is not being MitM? Closed source app from an unknown developer versus OpenSSH is a no-brainer to me.