Glenn Fleishman on TextExpander 6

Glenn Fleishman, writing at Macworld:

Scown says Smile stores snippets at rest in unencrypted form on database servers operated by Compose.io, an IBM company. The company evaluated using solutions in which data is always encrypted except during the moments items are needed for syncing or updating, and found the other security elements — such as how passwords were restricted — were lacking in its evaluation.

There’s a difference between unencrypted and insecure, and it’s not de facto unsafe that Smile has made this choice. An attacker has to defeat multiple lines of defense to obtain the raw data — like two-factor authentication — and the raw data in snippets isn’t likely to be as valuable (and thus it’s much less likely to be a target) as, say, information stored by a password-syncing company like AgileBits or LastPass. Data encrypted “at rest” is yet another bar an attacker has to pass, but it’s not insuperable, either.

However, I believe Smile’s approach is naive given the current security climate.

This is my primary concern about TextExpander 6. I see some amount of risk, and no benefit, with storing my text snippets on Smile’s servers.

Tuesday, 12 April 2016