TextExpander utility saves keystrokes by letting you type a short sequence that’s replaced by a longer one. That’s the heart of the app, which has expanded (sorry) its repertoire of replacement types over time to include form letters with fill-in and drop-down elements, a library of emoji, and a host of placeholders for date, time, the contents of the clipboard, and other elements.
The previous updates for OS X and iOS are less than a year old;
we reviewed version 5 of TextExpander for OS X last June and our high opinion of the core software remains unchanged.
However, the reason for this new review is a significant change in how its maker, Smile, prices its new version, which is coupled with mandatory cloud-based synchronization through its own servers, as well as options to share continuously updated snippets for individual users and groups.
With the new ecosystem, the TextExpander apps for OS X and iOS (and a beta for Windows 7 and later) cost nothing but work only when there’s an active monthly or yearly subscription. Further, the company’s website becomes a required hub for all users, whether they sync and share or not.
For details about core features in TextExpander, consult
our version 5 review. In this review, I’ll point out changes in the snippet editor, but will be focused on the ecosystem of apps: First, how it all works; next, security decisions and tradeoffs; and finally, how existing users should approach the new arrangement.
But I can start with the conclusion: This first iteration is overpriced for most users’ needs, and removing the ability to use TextExpander on a standalone basis with a less efficient personal sync doesn’t give existing customers any advantage. Smile says it plans to add additional features and sophistication, which may ultimately make it worth the price to some users in the future, including those upgrading from the previous standalone releases. But we review the software and service in front of us, not a future version we can’t test.
Moving to cloud city
The new set of TextExpander apps revolve around and connect to Smile’s servers. You’re required to set up an account and it has to be in good standing—currently paid for and active—to use snippets on any copy of the app you have, as well as to access sharing features on the website. If you’re logged out or the subscription lapses, snippets disappear. (They can be exported from the OS X version to retain copies.)
The new app versions comprise TextExpander 6 for OS X, TextExpander 4 for iOS, and TextExpander 1 for Windows (in beta). There’s no purchase cost for the apps. The two subscription levels are labeled Life Hacker (for consumers) at $5 billed monthly or $47.50 per year and Team (for businesses) at $10 billed monthly or $95.50 pear year. Smile offers a 30-day trial for both flavors of its service. (Owners of previous releases receive a lifetime discount on the Life Hacker tier’s yearly rate.)
Both tiers allow something previously unavailable in TextExpander: publishing snippets to others that push out updates whenever the source snippet is changed. Previously, TextExpander required exporting a snippet group (a folder that collects items), sending that or loading it on a shared local or cloud server, and importing it in another copy of the app. (That option remains available.) Further, anyone with permissions to edit a shared snippet can make changes, and those revisions are in turn pushed to everyone that’s part of the shared group.
The Life Hacker flavor lets subscribers share with any other user by email address. The Team version adds administrator-level features for showing group members, managing permissions, automatically pushing groups of snippets to people joining an organization or already part of it and consolidated billing.
This new ecosystem adds an ok, but slightly awkward web app to the mix. When logged into an account at Textexpander.com, you have the same access to groups of snippets and individual entries, and can even edit and add snippets using all the tools available in the native apps. (The website is also the only way to edit snippets with the current Windows beta, which lacks a front-end interface, and can only expand snippets defined elsewhere.)
Some snippet groups can’t be shared, and the iconography isn’t crystal clear. If you see an icon with a single person that also has an orange plus-sign icon to its right, you can add other users. The Suggested Snippets group, however, can’t be shared, but has the single-person icon. Groups identified with a globe are set “worldwide” by Smile, such as for emoji.
Clicking the plus sign lets you enter email addresses, but not (yet at least) select people with whom you’ve already shared other snippets. There’s no global or local address book, which reduces utility, though ensures more privacy. You can set permissions for whether newly added people have admin privileges, can edit, or further share the group, or change the permissions at any time as an admin for anyone with whom you’re currently sharing.
Teams have more controls, with admins being able to assign snippet groups that are automatically added to new or existing users’ accounts. Team-shared snippets can be shared with guests outside the team, but a snippet group created for a team or moved under team management can’t be converted back to a regular group via the web interface. Instead, you have to export it and import it back in, then delete the team version.
Syncing and sharing are the same thing in this new ecosystem, and in my testing, it worked equally well on my devices with the same account and among devices logged in to different accounts that were sharing snippet groups.
The one significant change in the apps, by the way, involves both improvement and omission. A redesigned snippet editor has drop-down menus with all the special features, like inserting time-based placeholders, system keys, fill-in items, and the rest. This is a far superior interface for both new and experienced users. The editor is identical across the Mac, iOS, and web apps.
However, there’s also a step back. TextExpander for OS X used to have a split-pane view that provided a live preview as you assembled a snippet. This preview now requires a keystroke (Command-Return), which produces a modal dialog that has to be dismissed. In the iOS app, tapping a forward arrow brings up a preview and tapping a back arrow takes one back. The web app lacks a preview entirely.
And there’s an odd and unfortunate omission in this first outing related to sharing. You can’t manage shared snippet groups via the native apps. Sharing, adding people, managing permissions, and other tasks can only be done via the web app. While I expect that will be remedied in future releases of the apps, it makes it feel as if the ecosystem was released too soon.
The Windows client is still in beta testing, and didn’t work well for me on an up-to-date Windows 10 laptop; I couldn’t get it to expand with the latest beta release and restarting the laptop. It’s also “headless,” as noted above, and has no snippet-editing or preferences interface.
Hidden in plain sight
Previously, Smile hasn’t stored any snippet information on servers under its control. Any syncing involved required a third-party service, and snippets were as vulnerable to disclosure as the policies and protections offered by those other firms, like Dropbox and Apple (for iCloud).
Now, central storage of snippets is mandatory. The new ecosystem stores everything on Smile’s servers, uses the web app as a view into storage and administration, and treats apps as synchronized end points. This invites more scrutiny of Smile’s security and encryption. The company’s co-founder, Greg Scown, answered a number of questions via email that weren’t on the firm’s website as I wrote this, but the company plans to provide more detail.
fundamentally maintains that its users shouldn’t put anything that’s generally useful to another party if it were stolen, such as social security numbers and passwords. That’s impossible to enforce, of course, and snippets used inside a company—even the full set of responses a company uses for customer service—could reveal sensitive information alone or when viewed as a set.
All the apps and the website use the most recent secure version of TLS (version 1.2) for encrypted sessions, such as over https. However, the apps and website don’t use certificate pinning, in which the digital certificates used to validate identity are restricted to be accepted only if issued by a small number of outside parties. Pinning prevents subverting operating systems through malware that can install root certificates that would produce valid-looking documents that a pinned app would reject, but a non-pinned one would accept. It’s seen by security experts as a best practice for iOS apps by Apple and for apps in general.
Scown says Smile stores snippets at rest in unencrypted form on database servers operated by Compose.io, an IBM company. The company evaluated using solutions in which data is always encrypted except during the moments items are needed for syncing or updating, and found the other security elements—such as how passwords were restricted—were lacking in its evaluation.
There’s a difference between unencrypted and insecure, and it’s not de facto unsafe that Smile has made this choice. An attacker has to defeat multiple lines of defense to obtain the raw data—like two-factor authentication—and the raw data in snippets isn’t likely to be as valuable (and thus it’s much less likely to be a target) as, say, information stored by a password-syncing company like AgileBits or LastPass. Data encrypted “at rest” is yet another bar an attacker has to pass, but it’s not insuperable, either.
However, I believe Smile’s approach is naive given the current security climate. Other firms operating sync, backup, and hosting services that have native and web clients can let subscribers create a private passphrase that’s used for a per-account encryption key so that data is always encrypted in storage. These systems can support various methods to allow shared access to the same resource, as well.
This may seem like overkill and it adds a support burden to Smile (a lost passphrase means snippets would be unavailable unless backed up locally), but with their subscription cost, this seems like a reasonable baseline for which to ask. There are many approaches, and Smile chose none of them.
One more issue, highlighted after this review was originally published. The
terms of service for TextExpander states explicitly, “The Service is not intended for use by users employed by any federal, state or local government.” This is likely intended to reduce liability, but it strikes another sour security note.
A choice to upgrade for existing users
Those who own recent copies of TextExpander may be faced with a quandary. To ease the transition, Smile is offering registered users 50 percent off monthly subscriptions for the first 12 months (about $2 a month), as well as a lifetime 50-percent discount off a yearly Life Hacker subscription, making it $20 a year.
However, many users may not be interested in the sharing feature; I can’t find a reason for it in my workflow. It’s my fundamental question as I review this revision: How many current users have been dying to share automatically updated snippets? The new system may be highly attractive to new subscribers, especially in business, but if you have no desire to move to this mode, you don’t have to.
The previous releases continue to work in iOS and OS X, and Smile will continue to offer them for sale under the old pricing ($45 for the OS X version and $5 for the iOS one). Smile also changed its original plan to just maintain compatibility for the older versions to continuing development on them. In a statement on April 12, Smile said it will continue to bring some new features to the previous versions as well.
If you want to try out the new version, you can’t have both TextExpander 5 and 6 running at the same time, although you can have both installed and named distinctly, and run one or the other. Installing the new version 4 in iOS doesn’t remove the previous version 3 release, and as alternative keyboards, you can switch among them.
Smile says TextExpander 6 won’t create backward-incompatible snippets, so you can make new snippets in the new version and then export and use them with the older one if you don’t choose to continue with a subscription.
You don’t have to make a decision right away. I believe most current users will probably stick with the previous versions.
A low value in the current price
As a dedicated user of TextExpander for many years, I continue to find a high degree of utility in it, even more so as it’s matured. However, it’s impossible for me to wholeheartedly recommend TextExpander’s new approach to either existing or new users.
For existing users, there’s not enough advantage unless you fall in what I think is a relatively narrow band of people who need more than sync and want individual or team sharing. If you’re one of them, this is the ecosystem for you.
For new users, the cost is simply too high for the current utility offered. While I trust that Smile will continue to expand and develop its product, the subscription price is not far below Slack’s paid tiers, and Slack is a vastly more complicated and sophisticated communication system. The business price isn’t far below entry-level customer relationship management (CRM) software that includes form-based responses that are fully integrated with incoming and outgoing email.
A future version of the TextExpander ecosystem may fulfill Smile’s goals in making this business-model switch, but the current version falls short for the price demanded.
Editor’s note: This review was updated to include information about the terms of service that note TextExpander is unsuitable for government users. The review was also revised to note
price changes announced on April 12.