Are updates directly from Evernote secure on Mac?

[EdH 1,670]

With all of the hoopla recently on the train wreck of updates from OEMs for Windows PCs I thought I'd look at my Mac. While updates from Apple and the Mac app store are secure, apps that update themselves outside of the Mac store may not be secure. It seems one of the more popular distribution engines, called "Sparkle" may have the same gaping flaws that the Windows updates from OEMs (dell, lenovo, etc) have, which is manifests are text, not digitally signed, and not transmitted over HTTPS via SSL or TLS. Ars Technica has more info.

It appears Evernote uses Sparkle based on this article and this article, the latter of which lists probably close to 100 popular apps.

Just because an app uses Sparkle doesn't mean its updates are insecure, it depends on how the vendor has it configure.

Can we get a response from Evernote?

The safe thing is to update via the app store, but that precludes being on betas, and the app store is always slower to release new versions, so that isn't ideal.

[Rich Tener 86]

Hi @EdH, I lead the Evernote security team and am happy to respond.

Evernote does use Sparkle in our Mac app. We were not vulnerable to the Sparkle security issues because we use HTTPS for both the software download and loading WebView content.

Even though we weren't vulnerable in older versions, we updated to Sparkle version 1.13.1 in version 6.6 of our Evernote Mac client.

[EdH 1,670]

21 minutes ago, Rich Tener said:

Hi @EdH, I lead the Evernote security team and am happy to respond.

Evernote does use Sparkle in our Mac app. We were not vulnerable to the Sparkle security issues because we use HTTPS for both the software download and loading WebView content.

Even though we weren't vulnerable in older versions, we updated to Sparkle version 1.13.1 in version 6.6 of our Evernote Mac client.

Thanks Rich. I figured as focused on security as Evernote seems to be, this was the case, but didn't want to make that assumption without asking. Thanks for the confirmation!