Scown says Smile stores snippets at rest in unencrypted form on
database servers operated by Compose.io, an IBM company. The
company evaluated using solutions in which data is always
encrypted except during the moments items are needed for syncing
or updating, and found the other security elements — such as how
passwords were restricted — were lacking in its evaluation.
There’s a difference between unencrypted and insecure, and it’s
not de facto unsafe that Smile has made this choice. An attacker
has to defeat multiple lines of defense to obtain the raw data —
like two-factor authentication — and the raw data in snippets
isn’t likely to be as valuable (and thus it’s much less likely to
be a target) as, say, information stored by a password-syncing
company like AgileBits or LastPass. Data encrypted “at rest” is
yet another bar an attacker has to pass, but it’s not
However, I believe Smile’s approach is naive given the current
This is my primary concern about TextExpander 6. I see some amount of risk, and no benefit, with storing my text snippets on Smile’s servers.