New warning for billions of Google Messages users
Republished on December 9 with a new FBI warning into encrypted messaging and an explanation as to why RCS is not secure between iPhone and Android, addressing user confusion after the recent text messaging warnings.
Suddenly, it has all gone wrong for Google Messages. After campaigning for years to see the realization of its “seamless messaging” dream, no sooner was it here than it was gone. The question now is whether there’s any chance it will ever come back.
Rather like a slow motion train crash, while Apple’s long-awaited adoption of RCS was quickly celebrated by Google, no sooner had it launched than it was being criticized for its awkward security vulnerability—despite iMessage constantly lauding its end-to-end encryption, those green bubbles continue to do without.
Google and the GSMA were fast to respond, promising end-to-end encryption for RCS is now in the works. But while that might have carried the day, along comes China to spoil the party. Its state-backed hackers, it seems, have broken into US telco networks, underlying the very reason Apple, Google and others insist on end-to-end encryption in the first place. With the FBI and CISA now both warning citizens to use responsibly encrypted platforms, cross-platform RCS has taken a huge hit. Even Samsung has warned users that texting Android to iPhone lacks security.
Apple has never made any secret of the fact that iMessage is only secure within its own walled garden. It was Google pushing for cross-platform RCS, not Apple. And when it finally launched with iOS 18, Google put out the public messaging on non-blurry images and other new features, Apple didn’t say much if anything at all.
And so it’s Google Messages that must now pick up the pieces of this security nightmare and work out what it does next. How fast can RCS be upgraded to meet the “responsible encryption” bar set by those US government officials? How does Google or Apple push users to send basic RCS/SMS texts against the backdrop of those government warnings? How quickly will network confidence return?
But with timing being everything, the final concrete block standing in the way of that RCS train might be Apple’s imminent iPhone update—iOS 18.2. Much to everyone’s surprise, the iMaker has decided to offer all its users—not just those in regulated Europe–the option to change their default apps. That means selecting an over-the-tops like WhatsApp or Signal for default calls and messages for the first time.
The 2024 RCS dream has taken a hit, albeit whether or not it has been holed below the waterline remains to be seen. What is clear is that this plays into the hands of Meta, which owns the world’s largest end-to-end encrypted messaging platforms, WhatsApp and Facebook Messenger, even if they’re not “responsibly” encrypted per the FBI’s terminology, which means lawful access to content when warranted.
For Google Messages users defaulting to that platform when texting friends, family and colleagues, you now need a new app. If you don’t have WhatsApp or Messenger or Signal, then you should install one now. The pick of the bunch is WhatsApp, which finds the right balance between security, functionality and scale. You’ll increasingly find the people you message will already have the app installed.
Keeping with the security theme, to ensure the integrity of end-to-end encryption, you need to do two things. First, set up WhatsApp (or an alternative) properly. That means two-factor authentication and passkeys when available. Second, ensure you don’t take risks with links, downloads and app installs. Whatever messenger you use, if an attacker takes control of your phone through malware or luring you to install a malicious app, it’s as if you haven’t secured your content at all.
The irony has continued for Google, with the news that Samsung is ditching RCS for millions of its Galaxy users still using Samsung Messages and recommending they switch to Google Messages. The Galaxy maker warned Verizon users that “Samsung Messages will no longer support RCS after 1.6.2025. Switch to Google Messages to maintain the more robust messaging you’re used to.”
As Neowin reports, “this announcement confirms that Verizon users relying on RCS through Samsung Messages will need to switch to Google Messages to keep advanced features like read receipts, typing indicators, and high-quality media sharing. Regular SMS and MMS will still work, but the enhanced experience is tied to RCS.
Samsung has been backing away from its own Messages app and pushing users to Google Messages for some months, which was seen as one of the last steps in the consolidation of stock messaging across the Android ecosystem on a single app. Add Apple’s adoption of RCS into the mix, and it did seem that all the planets were aligning for Google on the twin challenges of presenting a seeming iMessage equivalent for Android and also a seamless messaging experience into iMessage to entice Android users away from WhatsApp.
As Android Police explained in the fall, “Samsung switched to Google Messages in favor of its messaging app with the Galaxy S21 series in Europe back in 2021. Since then, the company has slowly transitioned users from Samsung Messages to Google Messages. The latter is the de-facto RCS messaging app for Android, with Google constantly improving it with features like Gemini integration and full-screen effects.” At that time owners of older Galaxy devices were also seeing prompts to switch.
Now, though, that doesn’t cut it anymore—at least not when messaging cross-platform. There hasn’t been any real response from encrypted platforms to the FBI and CISA warnings last week, but we can likely expect reminders out of WhatsApp that users who haven’t switched should think of doing so now.
While the immediate impact of the FBI’s text messaging warning was to push users to encrypted platforms, there is a new sting in the tail. The FBI has now confirmed to me that “law enforcement supports strong, responsibly managed encryption. This encryption should be designed to protect people’s privacy and also managed so U.S. tech companies can provide readable content in response to a lawful court order.”
This means pushing those secure platforms to provide content when required by a court warrant. This will add to user confusion on cross-platform RCS following the news headlines in recent days. There has been a lot of online commentary on RCS in general and Apple’s deployment of the new texting protocol in particular, but the facts remain very simple and have not changed.
Salt Typhoon and the resultant FBI warning highlight Google’s and Apple’s different attitudes to RCS. Per NBC, Android promotes this messaging as a key feature. “Rich Communication Services (RCS) chats provide an upgraded, rich messaging experience… RCS chats show you when someone is typing, offer read receipts, let you share files and high-resolution photos and more.” While Apple takes a a different approach. “Apple has said that RCS messaging is a ‘carrier-provided service’.”
This is critical and helps explains the yawning security gap in messaging cross-platform and why Android users need to consider alternative options to securely message outside the Android walled garden.
Google describes RCS as “better carrier messaging for everyone… Texting changed the way we communicate, but it’s out of date. Today we want messaging that lets us do things like share high-res photos and larger files, chat with a group, know when messages are read, or make video calls. RCS makes all this possible, and now the mobile industry is coming together to bring it to users everywhere.”
And this is not a surprise. Google essentially took responsibility for driving RCS adoption away from the carriers given their slow progress, and instead turned RCS instead into an Android default under the covers of Google Messages. It then added a wrap of its own features and its own security, which is why its end-to-end encryption is built on top of RCS and is not part of RCS.
Apple on the other hand is much more perfunctory. RCS is not a key iPhone features and it shows. Unlike Google, Apple describes RCS as text messaging and handles it as text messaging on its devices. “When you use iMessage,” it says, “your conversations are encrypted end-to-end, so they can’t be read while they’re sent between devices.” But if you use RCS, then it’s very different. “If you aren’t using iMessage, you can use RCS… With RCS, you can send texts, high resolution photos and videos, links, and more. RCS also supports delivery and read receipts and typing indicators. RCS messages appear in green text bubbles on your device.”
Apple describes RCS as “RCS text messages” and warns that its implementation “is based on the industry’s standard. RCS messages aren’t end-to-end encrypted, which means they’re not protected from a third-party reading them while they’re sent between devices.” This is true, but you can see the difference in tone. iMessage and RCS are not the same, Apple is not pushing RCS any more than it pushed SMS.
And Apple goes further, warning that RCS exposes user data beyond just content. “When your device connects to your cellular network, it communicates with your carrier and their partners to set up RCS. User identifiers are exchanged for your carrier and their partners to authenticate your device and provide a connection. These identifiers could include but are not limited to your IMEI, IMSI, current IP address, and phone number. Your current IP address might also be shared with other RCS users.” iMessage is different, it’s just a data stream to carriers.
As was widely reported last year when Apple u-turned on RCS, this seemed like a reluctant move. Google had pushed for this for years and Apple had resisted. But SMS is such an archaic technology, that eventually the upgrade was inevitable.
This has all shone a new light on what’s encrypted and what’s not. John Gruber warns that most users will not easily navigate Google’s RCS security. “It’s shamefully misleading,” he says, “Google Messages does support E2EE, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares ‘Conversations are end-to-end encrypted,’ full stop,” which he says is not true.
Google encrypts its own RCS traffic with the open-source Signal protocol, which has become something of an industry standard. WhatsApp and Facebook Messenger use the same, as does Signal of course, the three most likely U.S. encrypted platforms users will now turn to instead of RCS. Apple uses a different encryption protocol for iMessage, but could adopt Signal for RCS and work directly with Google to provide a secure wrap across iPhone and Android texting.
While RCS is still presented as a carrier service and RCS as a standard protocol, the reality is that with Android standardizing on Google Messages and iPhone users having to use iMessage as their SMS/RCS client, there doesn’t need to be a standard protocol, just a fully encrypted bridge between Google Messages and iMessage.
No sign of that happening, through.
And so the problem, as Gruber explains, is that “a typical Android user without technical expertise who takes the advice (now coming from the FBI) to use end-to-end encryption for their messaging… would look at Google’s own description of Google Messages and conclude that if you use Google Messages, all your messages will be secure. That’s false. And depending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it’s quite likely most of your messages won’t be secure.”
