Yes you are absolutely correct regarding the stolen hash being usable as the password, which isn’t ideal. I wanted to get a quick fix out there to prevent clear text password but of course we have a ways to go to improve security. We actually have a full implementation strategy for fixing this and hope to have it out in a reasonable time range.
To explain what I meant regarding SSL and why it is in fact useful: The app added a cloud sync which syncs your entire site database on each device to the cloud. This never communicates with the device hence why it is SSL end-to-end during communication. The SSL is used to encrypt the data in motion to our server however before that occurs, the app will encrypt the data using an AES block cipher against your account password that’s properly salted and encryption started with a unique initialization vector. As a result, the site data is secure when it is in rest on our server.
Thank you for your understanding.