For Android users, your phone has suddenly changed. It took just 14-days to destroy years of slow RCS progress with a security nightmare that’s now getting worse. Even the mainstream media is warning users away from RCS, leaving Google with some thinking to do. And Apple’s surprise move may mean it’s already too late.
On November 19, a concerted campaign between Google and Samsung “welcomed a new era of more seamless, cross-platform messaging… Samsung partnered with Google to help drive the adoption of RCS, a modern, interoperable standard for enhanced messaging. Now with the latest version of iOS supporting RCS, the benefits are available beyond the Android ecosystem when messaging across platforms. This wider adoption takes the industry one step closer to a universal seamless messaging experience, improving how users connect around the world.”
The small caveat in Samsung’s press release received little pick-up in the media at the time. “Encryption is only available for Android to Android communication,” it said. But exactly two-weeks later, on December 3, that was suddenly all that mattered.
The FBI and CISA shocked the cellular world with their Salt Typhoon revelations, as Chinese hackers marauded through U.S. networks, seemingly at will. It is “ongoing and likely larger in scale than previously understood,” the officials warned. And then the kicker: citizens should be “using a cell phone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant MFA for email, social media and collaboration tool accounts,” the FBI warned.
And just like that, RCS was exposed in its “Emperor’s New Clothes” for all the world to see. When even Reader’s Digest warns its readers “why does it suddenly say ‘RCS’ in some of your texts? Here’s how it could be a huge security risk,” you know you have a serious problem, and one that has fully hit the mainstream.
RCS is little understood. While it is a carrier networking protocol that was developed as a successor for the woefully insecure SMS, its use is almost entirely now within Google Messages. Other RCS platforms, especially in the U.S. (1,2), are pushing users to Google Messages. As such, Google Messages has become Android’s iMessage alternative, but one with a killer vulnerability buried deep inside.
The FBI’s text warning was actually more complicated than it seemed at the time. The Bureau emphasized “responsibly managed encryption,” by which it meant law enforcement accessing encrypted content with a court warrant if needed. The end-to-end encryption we all use on our phones does not allow that, even the companies running the services—Meta, Apple, Google, Signal—can’t access your content.
Ironically, Apple did used to offer exactly the kind of encryption backdoor the FBI wants to see made more available. it used to be impossible to backup iMessage or run it cross-device without storing a copy of your iMessage encryption key in iCloud which could be used to unlock your backup. That has now changed, though, and Apple offers full iCloud encryption which means that backdoor has slammed shut.
But that twist was overlooked—the story became one about basic content security and the need to protect texts and calls from hackers inside U.S. networks.
And while initially the exposure of RCS was just about Android to iPhone texting, where Apple’s decision to adopt the standard RC S protocol meant no end-to-end encryption between Google Messages to iMessage, that soon became worse.
Cue tech blogger John Gruber, who warns that Google Messages is “shamefully misleading regarding support for end-to-end encryption… [it] does support E2EE, but only over RCS and only if all participants in the chat are using a recent version of Google Messages,” even though its Play Store description “flatly declares ‘Conversations are end-to-end encrypted’, full stop.”
Gruber’s argument is that “it’s downright fraudulent to describe Google Messages’s transit security this way. Imagine a typical Android user without technical expertise who takes the advice (now coming from the FBI) to use end-to-end encryption for their messaging. A reasonable person who trusts Google would look at Google’s own description of Google Messages and conclude that if you use Google Messages, all your messages will be secure. That’s false. And depending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it’s quite likely most of your messages won’t be secure.”
And that encryption warning is getting more widely picked up. “Google Messages [is] putting American users at risk,” Phone Arena reported on Thursday, citing Gruber’s blogpost and warning that “cross-platform RCS messaging isn’t end-to-end encrypted, which is why iOS and Android users should consider using third-party apps like WhatsApp or Signal to text each other.”
The reality is that Apple and Google have taken completely different approaches to messaging and that now shows. Apple’s iMessage is arguably the best messaging architecture available today. It is completely secure, runs seamlessly across multiple devices relying on Apple’s trusted device architecture, and integrates with its equally secure FaceTime platform to add voice and video calls into the mix.
Contrast that with Google Messages, which added an after-market encryption wrap around RCS that only works when recent versions of its own app are used on all sides of a chat. There is no secure calling option, and it is much harder to notice if your text is secure or not—there is no blue/green bubble equivalent.
“We have worked hard for years to make RCS the standard for improved cross-platform messaging, and Samsung has been instrumental in the growing adoption of RCS,” Google said in that joint PR with Samsung, with the Galaxy maker adding that “RCS is quickly becoming the universally adopted, modern messaging standard, enhancing communications for users everywhere.”
That was less than a month ago—it hasn’t aged well.
So, where does this leave Android users? If you care about the security of your messages—and not all users do—then you should switch to a secure platform. You can put aside the headline Meta privacy warnings, WhatsApp is just fine albeit Signal is better. And while there is also a more secure RCS protocol in the works, that won’t turn up and be deployed soon enough to address the FBI texting warning.
Is there any way back for RCS? That depends on Apple. The iMaker was clearly reluctant to adopt RCS in the first place, and did so while still warning that it’s not secure and is open to carrier interception—even before Salt Typhoon turned up. The latest iPhone firmware—iOS 18.2—also offers users the option to change default messaging, which makes an RCS recovery even harder.
If Apple and Google quickly announce a fully encrypted bridge between Google Messages and iMessage, then they really will completely change the messaging landscape and deliver the “universal seamless messaging experience, improving how users connect around the world,” that Samsung and Google have promoted. Absent that, there is no way back for RCS to compete with the alternatives.
