This month has been marked by the extraordinary revelations that Chinese state-linked hackers have been marauding through U.S. networks, harvesting user call and text metadata and in some cases their content as well. The result—an unprecedented warning from the FBI for Android and iPhone users to stop sending texts.
The backdrop to this story has been the equally unprecedented iPhone messaging update that has finally brought RCS to Apple’s billion-plus users. While Google has hailed this as “no more blurry photos,” that has been quickly overtaken by events. I highlighted RCS’s security weaknesses before, during and after Apple’s release, but now the FBI has ensured that everyone is fully aware that’s the case.
The defense has been that an end-to-end encrypted RCS update is coming soon. But the new bad news for Android and iPhone users is that this security update is not going to be seen anytime soon. “Work with key industry stakeholders is progressing well,” according to a GSMA spokesperson cited by CNBC, “and we look forward to updating the market in the coming months.” The italics are mine.
This has been painted as surprisingly bad news. “Despite [the] FBI Warning, RCS encryption could take months,” reported PC Mag, while Android Authority warned “Android and Apple users—critical RCS messaging protection is still months away despite FBI warning.” All of which means, explained Tom’s Guide, that “Apple and Android users… should look to other chat apps to communicate.”
In reality, this is entirely expected. As I reported when GSMA and Google first touted an end-to-end encrypted RCS update in September, “unless this is already in test, I wouldn’t be holding my breath, waiting for it to turn up anytime soon.”
If you actually look at what happened post Apple’s launch as regards this RCS security upgrade, it came across as reactive. There was plenty of criticism over the lack of cross-platform security, to which GSMA responded by suddenly announcing “the next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end encryption… the first deployment of standardized, interoperable messaging encryption between different computing platforms, addressing significant technical challenges.”
Google added its voice into the mix: “We believe that E2EE is a critical component of secure messaging, and we have been working with the broader ecosystem to bring cross-platform E2EE to RCS chats as soon as possible.”
Meanwhile, Apple said nothing.
If this was a collaboration between Apple and Google to bridge iMessage and Google Messages, it would take months. But it’s not. It’s an update to the core RCS protocol itself, and so it will mandate changes throughout its architecture. It will need to be tested and then find its way into a limited beta, then a full beta, before becoming generally available in an OS release. iOS 19 is at the earliest?
Don’t hold your collective breath for this to fix the Salt Typhoon problem.
Google Messages was slow to adopt end-to-end encryption itself, only adding this into the mix once it had wrestled control of the RCS rollout from the carriers. And then it was deployed piece by piece, which took considerable time.
And these “months” will prove expensive, because Americans have been urged to use encrypted platforms where possible by federal agencies. WhatsApp has already been building a head of steam in the U.S., making this latest news a gift for Meta.
Apple has been quiet throughout this process and hasn’t said much on RCS, other than to warn that it’s not secure. “Apple’s implementation of RCS is based on the industry’s standard. RCS messages aren’t end-to-end encrypted, which means they’re not protected from a third-party reading them while they’re sent between devices.”
It’s not clear what happens now or when it happens, but in the meantime, if you haven’t already switched to a secure messenger, then do so now. There’s still time for Apple and Google to take control of this situation, as they did during covid, but there’s no signs of that happening yet. And the clock is ticking…