I’m an avid iPhone user and having mixed feelings about incorporating RCS messaging for Android on iPhones. Will this compromise security?
[Re-Titled by Moderator]
iPhone 14 Pro Max
I don't think you actually understand what RCS is.
On your iPhones message app, you can send either iMessages (blue bubbles), or SMS text messages (green bubbles)
SMS text messages (SMS = Standard Messaging Service) are actually very unsecure.
For example, since SMS messages are actually not encrypted at all, anyone with a mini cell tower can pick up text messages being sent and received in that area, and read them without issue since there's not any encryption (this is just an example of how it's not secure, not saying this is actually happening to the average person)
RCS text messages (RCS = Rich Communication Service) is simply an upgrade to SMS which does include proper encryption (Since Google has stepped up and streamlined RCS and made the new standard)
It will be very similar to iMessage (iMessage will still be better), and will allow you to send high quality pictures, video, see typing indicators, read receipts, and most importantly encrypted messages. Apple has since confirmed all of these features as well!
Apple also stated that it will be working with GSMA, and Google to improve the encryption on RCS as a whole.
TLDR: You have absolutely nothing to worry about, this is literally just going to add more security to your phone AND improve your texting experience with anyone who doesn't own an iPhone :)
I don't think you actually understand what RCS is.
On your iPhones message app, you can send either iMessages (blue bubbles), or SMS text messages (green bubbles)
SMS text messages (SMS = Standard Messaging Service) are actually very unsecure.
For example, since SMS messages are actually not encrypted at all, anyone with a mini cell tower can pick up text messages being sent and received in that area, and read them without issue since there's not any encryption (this is just an example of how it's not secure, not saying this is actually happening to the average person)
RCS text messages (RCS = Rich Communication Service) is simply an upgrade to SMS which does include proper encryption (Since Google has stepped up and streamlined RCS and made the new standard)
It will be very similar to iMessage (iMessage will still be better), and will allow you to send high quality pictures, video, see typing indicators, read receipts, and most importantly encrypted messages. Apple has since confirmed all of these features as well!
Apple also stated that it will be working with GSMA, and Google to improve the encryption on RCS as a whole.
TLDR: You have absolutely nothing to worry about, this is literally just going to add more security to your phone AND improve your texting experience with anyone who doesn't own an iPhone :)
The security of one-on-one and group chats which involve only other iMessage users will be unaffected by this change.
The security of one-on-one and group chats which involve any mix of RCS users and one or more iMessage will not be any worse than it was before the change. Apple has said that they will not incorporate any nonstandard features which aren't mandated by the Universal Profile; therefore it follows that Google's end-to-end encryption feature will be absent. However, point-to-point encryption (using TLS) will be used for the connection from your handset to the RCS server. This, at least, is more than what's currently done when messages are sent using SMS.
The net effect will be, that it will not be practical for 3rd parties sniffing packets over the air to intercept the content of your RCS messages the way it would have been possible to do with legacy SMS/MMS. However, the RCS server itself will still have access to the message's full text as it undoes the sender-to-server encryption, and then re-wraps it up in the server-to-receiver encryption.
Apple has committed to working with the GSMA to improve future revisions of the Universal Profile specification. This could potentially include providing a standardized implementation of end-to-end encryption as well. Only time will tell.
This assumes, by the way, that the iPhone itself will gain the ability to talk directly to your carrier's RCS server. (Or, it might fall back to using some carrier-agnostic server in the case that your carrier doesn't operate its own server.) That assumption introduces some very real usability use cases which could make the whole system even more fragile than the MMS/SMS fallback that exists today: For example, what happens if your group chat includes a mix of some RCS users, some "new" iPhone users, and some "old" iPhone users? (Presumably the new Messages app with RCS compatibility will not be rolled out to obsolete iOS versions.)
This sort of use case would be much better served if Apple added RCS compatibility by way of federating in the back-end server: The Messages app continues to talk exclusively using the iMessage protocol to the iMessage server; and then the iMessage server takes responsibility for relaying messages to/from the relevant RCS service provider(s) on an as-needed basis.
But at this stage, we really don't have any definitive indication of exactly how Apple will end up implementing this.
SeeAMarsh wrote:
Because iMessage is the only reason a lot of people stick with iPhone over Android. Apple has admitted this publicly. RCS is just as good as iMessage. There is no noticeable difference. I use both as I have Apple and Android devices and one is not better than the other.
The RCS standard does not include encryption. It’s an extension.
I’d expect some parties involved in he RCS standard don’t want RCS encryption, too.
iMessage does use end-to-end encryption, as do some RCS implementations from some vendors. (RCS encryption is a vendor add-on however, and not all implementations include it. Google rolled out end-to-end RCS encryption last year for group chats, and some RCS traffic apparently still traverses Google servers unencrypted.)
But this whole area is a moving target.
iMessage recently added contact key verification (technical details), for instance. So you get notified if somebody else tries to pretend to be a contact.
iMessage security isn’t quite up to what Signal provides, but is well regarded.
RCS as a replacement for SMS with similar capabilities and with similar privacy, sure.
MrHoffman wrote:
IdrisSeabright wrote:
Apple's announcement did not indicate that it would be adopting Google's version of RCS. If that is true, there may not be end-to-end encryption.
Yep. “Google has added support for end-to-end encryption for all chats using RCS in their own app, Google Messages. End-to-end encryption is not a feature of RCS specified by GSMA.”
Not part of the spec, but possible to add encryption via non-standard extension.
RCS bubbles reportedly to be green, too.
Yes, that was my understanding. So, people who are excited that they will have more security with RCS than SMS may end up being disappointed.
I'm glad they're leaving the bubbles green. I think it's hilarious that there are people who get their knickers in a twist over message color. Also, I find it amusing that Apple is giving Google what they want without giving Google what they want.
You might feel worried without cause. iMessage is Apple's main messaging platform. Not everyone you message uses iMessage, so your SMS texts aren't secure at the moment. Bringing in RCS messaging will add security when messaging between your iPhone and any Android using RCS.
It's a perfectly accurate statement. I think you either didn't read the entire post to which you're replying (or the other posts and links in the article), or you didn't understand it. The RCS standard does not include encryption.
It is a decieving statement because when people talk about RCS, they are de-facto talking about Android. 99.99% of the people who use RCS will be using Google's open-source (*not* proprietary) implementation, which includes E2E encryption in most jurisdictions (see next).
You could also look at it this way. Google is trying to wrest control of market share from Apple by trying to force Apple into using a Google-controlled messaging standard.
Actually, no.
There is a very good reason RCS does not have E2E by default, and it is political. RCS is not a Google standard, it is a GSMA standard - Google donated RCS to GSMA to take it through the standards track. GSMA is *global*, and every telephone company on planet earth is a member. Many telephone companies are simply not allowed to offer E2E encryption to their customers because it is illegal in their country. Having any notion of E2E built-into RCS, would then make it unpalatable as an international standard. That is why it isn't there - it isn't because of some grand conspiracy.
Google, meanwhile, kept E2E encryption in their open-source implementation of RCS, allowing handset manufacturers and distributors to turn it on or not based on national laws.
Apple saying "we are not going to implement E2E because it is not in RCS", is therefore a cop-out in order to have a marketing justification for why iMessage is better on iOS, and Apple knows as such.
brunes007 wrote:
There is a very good reason RCS does not have E2E by default, and it is political. RCS is not a Google standard, it is a GSMA standard - Google donated RCS to GSMA to take it through the standards track. GSMA is *global*, and every telephone company on planet earth is a member. Many telephone companies are simply not allowed to offer E2E encryption to their customers because it is illegal in their country. Having any notion of E2E built-into RCS, would then make it unpalatable as an international standard. That is why it isn't there - it isn't because of some grand conspiracy.
A brief history of Google and chat, including RCS:
In that, see the sections “Google & RCS (2019)—So we found this dusty old messaging standard in a closet...” and “RCS is bad, and anyone who likes it should feel bad“, among others.
GSMA encryption algorithms for connection security: https://www.gsma.com/security/security-algorithms/
JetMan3000 wrote:
I don’t think it was ever stated that he was an expert in security or messaging . We who read it understand it was stated for validity. I am curious your statement “it’s especially problematic if used for MFA “ how so if you don’t mind explaining?
Apple uses multi-factor authentication (MFA) for Apple ID, among other uses.
Apple MFA usually uses Apple Messages, which is secure, and lately can also be authenticated.
This absent fallback to SMS.
MFA via unencrypted links including SMS and (standard) RCS is unencrypted, and can potentially be intercepted.
There have been examples of MFA compromises using SMS interception, as well.
For example:
MFA via SMS is still better than no MFA, but is far less robust than other available MFA options.
If you’re a target for shenanigans, Security Keys (tokens) are well worth consideration.
Related reading:
Absolutely not. In fact it will enhance it when communicating with Android users. Although chats won't be encrypted end-to-end, they will be encrypted from device to server. Anything Apple says otherwise is just FUD.
AXTS01 wrote:
Yes, this would be a great thing for Apple to do. SMS is unsecure any messages that you sent over SMS can be read. Apple implementing RCS would secure the communication between iphone and Android devices .
Apple's announcement did not indicate that it would be adopting Google's version of RCS. If that is true, there may not be end-to-end encryption.
Short answer is no. iMessage will continue to be what iMessage is. RCS is only meant to replace the old SMS protocol that many people (in the US) still use, especially when communicating across ecosystems.
IdrisSeabright wrote:
Apple's announcement did not indicate that it would be adopting Google's version of RCS. If that is true, there may not be end-to-end encryption.
Yep. “Google has added support for end-to-end encryption for all chats using RCS in their own app, Google Messages. End-to-end encryption is not a feature of RCS specified by GSMA.”
Not part of the spec, but possible to add encryption via non-standard extension.
RCS bubbles reportedly to be green, too.
If what I’ve heard is true, apple will not be incorporating google’s version of RCS. Instead, apple will work with carriers to incorporate E2E encryption into RCS. However, this only applies to messages android users. So yes it will be encrypted, and no it won’t affect iMessage (apple to apple) security.
brunes007 wrote:
RCS does have E2E encryption from Android to Android. So this is a decieving statement.
It's a perfectly accurate statement. I think you either didn't read the entire post to which you're replying (or the other posts and links in the article), or you didn't understand it. The RCS standard does not include encryption. Google has added encryption to their version, which is used on Androids. So, while you are correct that messages between Androids are encrypted, it doesn't mean all RCS implementations are. The current best information is that Apple will not be implementing Google's proprietary version of RCS.
Apple could implement it when they implement RCS. If they choose to leave their uses less secure in order to protect a market that is their perrogirive.
You could also look at it this way. Google is trying to wrest control of market share from Apple by trying to force Apple into using a Google-controlled messaging standard.
RCS does have E2E encryption from Android to Android. So this is a decieving statement.
Apple could implement it when they implement RCS. If they choose to leave their uses less secure in order to protect a market that is their perrogirive.
Incorporating RCS messaging for Android on iPhone can compromise my security?
