Updated on September 19 with response to RCS encryption announcement.
As hundreds of millions of iPhone users update their devices to iOS 18, tinting their home screens and navigating their new Photos app, the reality is that this update is more about what’s missing than what has been released. No Apple Intelligence—at least not yet, and another gaping omission that has also been confirmed.
This bad news impacts RCS—the biggest non-AI update coming with iOS 18, that brings rich messaging features to stock iPhone-to-Android messaging for the first time, but which The Washington Post warns, leaves “chats with Android friends still [with] security and other compromises that Apple could have avoided.”
There’s still much excitement as the shiny new SMS v2 texting update goes live. “We’ve known it was coming for almost a year, but today’s the day we’ve been waiting for,” Android Police says. “The texting situation between the default messaging apps for Android and iPhone is getting a huge upgrade… Now that Apple has made iOS 18 official, iPhones can finally use the protocol meant to replace SMS and MMS.”
But those pesky green bubbles persist; this is no magic bullet. “The drama has been ongoing for so long,” Gizmodo says, “that we have to recognize the small things that add up to a better texting experience.” That includes typing ellipses, read receipts, sharing non-blurry images. But with “growing pains,” that often seem to depend on the generation of Android phones being messaged, network conditions, and the seamless cross-platform experience we have come to expect from other apps.
But the more serious issue is hidden from sight. “In some important ways,” The Post says, “Apple’s messaging app remains stuck in the flip-phone era, which undermines everyone’s message security.” While Gizmodo says “we have to acknowledge that iOS users will have a different experience texting their iPhone friends than those on Android. The version of RCS Apple is using is not encrypted, unlike iMessage.”
So, was this inevitable and unsolvable? No—not in any understandable way. “Apple largely blames limitations in the technology that meshes iPhone and Android messaging apps,” The Post says. “That’s an incomplete explanation. Apple’s own choices also make chats with Android devices worse.”
What this means—as I’ve explained before—is that Apple and Google could have collaborated on a secure API between their messengers to fully secure content, to better compete with Signal, WhatsApp, Facebook Messenger, or texting within their own walled gardens. Or Apple could have delivered an Android iMessage app.
Instead this doesn’t really compete with the cross-platform security of those over-the-top messaging platforms. And that’s above and beyond some of the other clunky compromises that come from SMS V2 over and above a dedicated cross-platform app.
While RCS has been popularized by Google’s managed push across the entire Android ecosystem, it has done so with a proprietary client that adds a fully encrypted layer along with other updates. RCS itself doesn’t include full security, and it’s that limited protocol that Apple has adopted for its iOS 18 update. Apple has said that it will work with the mobile industry’s standard setters to push for an improved protocol. But that’s not coming anytime soon. And until then these compromises remain.
The net result is that Apple’s iMessage update does not give users in Europe or Asia or Africa—where the likes of WhatsApp, Viber, Telegram and others dominate—any reason to switch, and in the US, where WhatsApp is on a tear, this just underpins Meta’s relentless privacy campaign that has been running all year.
What makes this all the more interesting is Telegram, and the recent travails of its founder and frontman Pavel Durov. Telegram’s issue has always been the gap between its marketing and its reality. The messenger plays the security card but doesn’t fully encrypt its messages either, just like RCS. Telegram’s real play has always been its rogue refusal to collaborate with the authorities—until now, one assumes, and its secrecy—better facilitating anonymity for users.
Durov’s arrest has left many of Telegram’s near billion users pondering who will now get access to the messages sitting on Telegram’s servers, protected by nothing but the platform’s own encryption (to which it holds the keys) and its voluntary policies.
There are other compromises with the new RCS linkage between iPhone and Android—unsurprising, given that the linkage relies on a cellular protocol versus more dedicated integration between the platforms. Had Google and Apple set out to deliver a less clunky, more secure messaging experience between Android and iPhone, none of these issues or compromises would now be hitting millions of users.
While the initial RCS go-live is disappointing with those glaring omissions, there is some good news—maybe. Mobile standards setter, the GSMA, published a blog on Tuesday following the release of iOS 18.
“Today, we are celebrating a significant milestone in the evolution of messaging with the launch of Rich Communication Services (RCS) support on iPhone,” GSMA’s Technical Director, Tom Van Pelt, posted. “It represents a step forward in bringing RCS’s feature-rich messaging to more users across both iOS and Android.”
And while Van Pelt called out the current feature updates, “like typing indicators, read receipts, high-quality media sharing, and improved group messaging,” the real point of the post was much more important.
“The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end encryption,” he announced. “This will be the first deployment of standardized, interoperable messaging encryption between different computing platforms, addressing significant technical challenges such as key federation and cryptographically-enforced group membership.”
Given Apple’s security and privacy focus, it was surprising to see Google amplifying this first, before Apple, but then RCS on iPhone has always seemed more important to Google than Apple. Users have long been left with the feeling that Apple wouldn’t have made the move if it could have been avoided. That’s why it was it was such a surprising u-turn when first announced last year. I have approached Apple for any comments it has on GSMA’s news in light of its iOS 18 release.
“We’re proud to have offered end-to-end encryption (E2EE) in Google Messages with RCS since 2020,” Elmar Weber, head of Android and Business Communications, posted on LinkedIn. “We believe that E2EE is a critical component of secure messaging, and we have been working with the broader ecosystem to bring cross-platform E2EE to RCS chats as soon as possible. Google is committed to providing a secure and private messaging experience for users, and we remain dedicated to making E2EE standard for all RCS users regardless of the platform.”
The real question is why do this as an update to the standard RCS protocol rather than a simpler and more effective API between Google Messages (the stock Android messenger) and iMessage (the stock iPhone messenger), which would be technically easier and more powerful, and would also provide a better sense of end-to-end security. Beyond those two platforms, feature-rich RCS is becoming less interesting now, especially in light of Samsung’s decision to switch to Android’s standard.
The other question is how long this will take and when users can expect an update that essentially just brings RCS closer to where other platforms are today. This is unlikely to happen anytime soon—and until then the challenges remain.
“Even if messaging apps follow the RCS standard,” Samsung pointed out, explaining why it was ditching its own platform in favor of Google’s, “the availability may be limited depending on which app the other party uses. That’s why we decided to make Google Messages the common messaging platform, allowing Galaxy users to communicate more freely. This also enables a messaging app to respond to changes of the RCS standard more quickly and efficiently.”
The response to Google and GSMA’s newly apparent urgency on end-to-end encryption has, unsurprisingly, excited serious interest. Why it has taken Apple’s release of iOS 18 to finally address those questions is much less clear.
In the almost a full year since Apple’s RCS u-turn, there have been countless articles explaining the encryption deficit with today’s RCS protocol, and interpretation of Apple’s cryptic commitment to work with the industry to enhance RCS security. It would have been good to provide some clarity at any point during that time.
As Droid Life points out, “unfortunately, there is no timeline for encryption to arrive, this is simply an acknowledgement by the governing body that it is an important next item to introduce. Knowing how this industry moves and how long it took for RCS to become a thing, I’m not exactly optimistic in encryption arriving any time soon.”
And that’s the crux of this issue. One can’t help but feel this is GSMA and Google rushing to act as the gloss quickly fades on the iPhone RCS excitement as the reality sets in—it’s clunkier than WhatsApp, it’s less secure than WhatsApp. Not only is this coming from these who had been pushing Apple towards RCS rather than Apple itself, but it’s coming after the RCS-shaped horse has already bolted.
But that’s coming from a security perspective. The reality is that most users overlook such risks. “As an Android user,” penned The Verge, neatly summing this up, “I’m just happy that I’ll finally be able to send high-quality photos and videos to my iPhone-wielding friends and family. E2EE would just be an added plus.”
But even on that simpler front there are issues. Because RCS is a cellular protocol rather than an end-to-end platform with apps at each end, it needs carrier support. And as ZDNet reports, “in the US, RCS is available on the iPhone via the three major carriers (AT&T, Verizon, and T-Mobile), many regional providers, and a few mobile virtual network operators (MVNOs). RCS support also varies across Europe, Asia-Pacific, Africa, Latin America, the Middle East, and India. In general, the major carriers tend to offer it; the smaller ones, not so much.”
As Ars Technica explains, “some iPhone users, particularly on mobile virtual network operators (MVNOs)—typically pre-paid services that do not own network hardware but resell major carrier access—do not have an RCS option available to them yet.”
All of which raises the fundamental question here—why. Being painfully pragmatic, the danger for the expansion of RCS to iPhone is that it’s a solution searching for a problem. RCS launched three days ago, and despite receiving dozens and dozens of texts in that time, I have’t had a single RCS message. Here in the UK, no-one is even talking about it outside the tech community. Here in the UK—as with almost everywhere outside the US—everyone uses WhatsApp as their go-to messenger, or perhaps Facebook Messenger or Viber or Signal or similar.
Google creating a Messages app for iOS would be pointless, but for Apple doing the same with iMessage could generate more of a buzz with its blue bubble cachet. But were Apple and Google to collaborate on a tight integration between their apps, that would quickly create a viable competitor to the over-the-tops. That hasn’t happened, and a security layer that doesn’t actually control the end-to end will fall short.
With nicely timed irony, WhatsApp has just painted a clearer picture of the third-party chats it is bringing into its platform to adhere to Europe’s DMA. Even this seemingly provides a better solution than the expansion of RCS. And we should be mindful of WhatsApp’s own warning that where it doesn’t control the app at each end of a chat, it can’t truly attest for its security. That issue is exactly the same for fully encrypted RCS. The painful reality for Google and GSMA, is this will always fall short.
Perhaps with RCS in mind, WhatsApp says that “we’ve also gone above and beyond the ‘basic’ features required for interoperable messaging under DMA, and we will provide rich messaging features such as reactions, direct replies, typing indicators, and read receipts. In accordance with the DMA, in 2025 we will include the option to create groups, and voice / video calling in 2027.”
As the messenger told its users ahead of third-party chats launching, “the E2EE promise Meta provides to users requires us to control both the sending and receiving clients… While we have built a secure solution for interop that uses the Signal Protocol encryption to protect messages in transit, without ownership of both clients (endpoints) we cannot guarantee what a third-party provider does with sent or received messages, and we therefore cannot make the same promise.”
Which is why ESET’s Jake Moore has warned, “it’s just not possible to send a message from one encrypted app to another without a serious downgrade of the cryptographic techniques in order to accommodate this interoperable feature. While end-to-end encryption is seamless for most users, no two apps implement encryption identically and this is where the security problems lie. A compromise is inevitable, but the real problem is that technology companies know that a large majority of users still do not fully understand or worry about the privacy and security risks.”
As WhatsApp acknowledges despite its seemingly looking to make third-party chats seamless and easy enough to work, “we believe it is essential that we give users transparent information about how interop works and how it differs from their chats with other WhatsApp or Messenger users… Users need to know that our security and privacy promise, as well as the feature set, won’t exactly match what we offer in WhatsApp chats.”
All told, fully encrypted, more seamless platforms—Signal and WhatsApp would be my picks—don’t have any of these issues, albeit bear in mind the metadata shared if you use WhatsApp. But I see no reason for anyone to change their daily messenger to iMessage or Google Messages. It’s simply not worth the compromises or the risks.