Do you need to stop using RCS?
This was the year that messaging was to become more seamless, not more confusing. RCS coming to iPhone heralded the start of something exciting and new, we were told, but then the FBI warned that messages had been hacked and citizens should stop texting and everything suddenly changed. So, should you stop using RCS?
RCS has an image problem, but it’s also not well understood. Put simply, RCS is just a new protocol for an enhanced form of carrier messaging. This successor to SMS adds the rich features we’re used to with IP messaging on platforms such as WhatsApp and iMessage, but with the benefits of carrier messaging, including working over a core cellular connection with no need for a data connection as well.
RCS should have been adopted by both Android and iPhone when it launched some years ago—but that didn’t happen. That meant that it became an Android messaging upgrade, which in turn meant that Google took over responsibility from the carriers for its global rollout, and used it to drive adoption of Google Messages as the de facto texting client on Android, instead of carriers and other OEMs having their own.
Because Google pushed the RCS rollout through its Google Messages platform, it plugged gaps in RCS functionality by adding its own wrapper to the technology. While RCS at its core is just a carrier messaging protocol like SMS, Google’s proprietary wrapper builds on that for its own users. Above all, this enabled Google to fix RCS’s main weakness—security, but only for its own users.
End-to-end encryption has become tables stakes for phone messaging. Popularized by iMessage and WhatsApp, it has now been adopted by other major platforms, even including Facebook Messenger. Security experts recommend only using platforms with this level of content protection for your day-to-day messaging.
Carrier messaging has never been end-to-end encrypted. Rather than message directly from one phone app to another, these messages are routed across a patchwork quilt of cellular networks in the same way as cellular calls. This means that the apps at each end can be different, as long as they use that same RCS protocol. There is no need for encryption keys to be shared or held, it’s an open standard.
Google’s fix was simple. It added end-to-end encryption to Google Messages, essentially a secure envelope within which RCS messages could be transmitted. But that only works if both “ends” are Google Messages. If one end is not, then it drops back to the standard RCS protocol and end-to-end encryption is not used.
That was a non-issue when RCS was Android only and Google was standardizing users onto Google Messages. But as soon as Apple added RCS to iPhone, that glaring security issue became a headline problem. Suddenly, there were a billion-plus new endpoints that were RCS-enabled but which were not using Google Messages.
Such was the storm of security protests post iOS 18 in the fall as this issue became clear, that the mobile standards setter—the GSMA—and Google announced a fix in the works, an end-to-end encryption add-on to the standard RCS protocol. But how this will work or when this will arrive is unclear given the carrier complexity.
In reality it’s not needed. Pre Apple’s release of iOS 18 there was only one RCS app that mattered—Google Messages. Post that release, there are only two that matter—Google Messages and iMessage. We don’t need a change to the RCS protocol—that seems completely pointless. We just need Apple and Google to build a secure bridge between their messaging apps to bring full encryption to iPhone-Android messaging.
This would be easily done and there’s a timely precedent which does exactly that. Driven by Europe’s Digital Markets Act (DMA), WhatsApp has built a third-party chat architecture that enables other fully encrypted platforms to send secure messages to WhatsApp and vice versa.
And while WhatsApp warns that this is not as secure as messaging within its own platform, where it controls both ends of the end-to-end encryption, it’s much more secure that it would be without that full encryption and it addresses the new threat highlighted by the FBI’s texting warning—it masks content from carrier networks and as such cannot be hacked in the same way as SMS or RCS.
There is another precedent that also might give us hope here. During the covid pandemic, Apple and Google collaborated on contact tracing warnings, providing a standard linkage between their two ecosystems. Bridging their messaging apps would be much easier than that. This is a commercial issue, not a technical one.
No sign yet of this happening. But in a world where America’s federal agencies are warning users to stop texting, one would hope minds will change for practical reasons if nothing else. Messaging security has never been more discussed.
Apple’s own warning on RCS is clear-cut. “When your device connects to your cellular network, it communicates with your carrier and their partners to set up RCS. User identifiers are exchanged to authenticate your device and provide a connection. These identifiers could include but are not limited to your IMEI, IMSI, IP address, and phone number. Your current IP address might also be shared with other RCS users.” And that applies to any usage of RCS from iPhones—it is never fully encrypted.
But you should still have RCS enabled on your iPhone or your Android, and on Android you need to use Google Messages. You should not stop using RCS. It’s more secure than SMS, notwithstanding its issues. But you should still treat RCS messaging in much the same way as you treated SMS beforehand. Don’t text anything personally sensitive or security related, don’t text credit card numbers or other financial data, don’t use it to send confidential business information, especially given the ready availability of fully encrypted platforms to use instead.
One Community. Many Voices. Create a free account to share your thoughts.
Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.
In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.
Your post will be rejected if we notice that it seems to contain:
User accounts will be blocked if we notice or believe that users are engaged in:
So, how can you be a power user?
Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.