I’m an avid iPhone user and having mixed feelings about incorporating RCS messaging for Android on iPhones. Will this compromise security?
[Re-Titled by Moderator]
iPhone 14 Pro Max
You might feel worried without cause. iMessage is Apple's main messaging platform. Not everyone you message uses iMessage, so your SMS texts aren't secure at the moment. Bringing in RCS messaging will add security when messaging between your iPhone and any Android using RCS.
Here-I-Am wrote:
I think paranoia is the most likely explanation. The most threatening of parties can likely get around any encryption.
I’ve cited cases. Everyone can and variously will make different assessments of their risks, and many of us have different risks. Inferring much, you seem to believe you have few or no risks. I do hope that works out for you.
SeeAMarsh wrote:
Because iMessage is the only reason a lot of people stick with iPhone over Android. Apple has admitted this publicly. RCS is just as good as iMessage. There is no noticeable difference. I use both as I have Apple and Android devices and one is not better than the other.
The RCS standard does not include encryption. It’s an extension.
I’d expect some parties involved in he RCS standard don’t want RCS encryption, too.
iMessage does use end-to-end encryption, as do some RCS implementations from some vendors. (RCS encryption is a vendor add-on however, and not all implementations include it. Google rolled out end-to-end RCS encryption last year for group chats, and some RCS traffic apparently still traverses Google servers unencrypted.)
But this whole area is a moving target.
iMessage recently added contact key verification (technical details), for instance. So you get notified if somebody else tries to pretend to be a contact.
iMessage security isn’t quite up to what Signal provides, but is well regarded.
RCS as a replacement for SMS with similar capabilities and with similar privacy, sure.
JetMan3000 wrote:
I don’t think it was ever stated that he was an expert in security or messaging . We who read it understand it was stated for validity. I am curious your statement “it’s especially problematic if used for MFA “ how so if you don’t mind explaining?
Apple uses multi-factor authentication (MFA) for Apple ID, among other uses.
Apple MFA usually uses Apple Messages, which is secure, and lately can also be authenticated.
This absent fallback to SMS.
MFA via unencrypted links including SMS and (standard) RCS is unencrypted, and can potentially be intercepted.
There have been examples of MFA compromises using SMS interception, as well.
For example:
MFA via SMS is still better than no MFA, but is far less robust than other available MFA options.
If you’re a target for shenanigans, Security Keys (tokens) are well worth consideration.
Related reading:
I agree, as user of both platforms, I believe this will benefit IOS more than Android, as it is more secured to send messages to everyone in your phonebook
MrHoffman wrote:
IdrisSeabright wrote:
Apple's announcement did not indicate that it would be adopting Google's version of RCS. If that is true, there may not be end-to-end encryption.
Yep. “Google has added support for end-to-end encryption for all chats using RCS in their own app, Google Messages. End-to-end encryption is not a feature of RCS specified by GSMA.”
Not part of the spec, but possible to add encryption via non-standard extension.
RCS bubbles reportedly to be green, too.
Yes, that was my understanding. So, people who are excited that they will have more security with RCS than SMS may end up being disappointed.
I'm glad they're leaving the bubbles green. I think it's hilarious that there are people who get their knickers in a twist over message color. Also, I find it amusing that Apple is giving Google what they want without giving Google what they want.
Here-I-Am wrote:
What kind of top secret stuff are you texting over there? Surly your agency has its own super secure texting platform.
You’re seemingly somewhat unfamiliar with the topic? Okay, well, we can hopefully explain some of what has been documented.
“Secrecy is the act of hiding information. Privacy is about being unobserved — being able to have my own experience of life without the eyes of anyone else on me.” — Bruce Muzik
For one publicized example: Target famously detected and exposed a pregnancy.
As unfortunate and problematic as that case was, there are other and far worse examples. Far worse.
Some related reading: https://thecontentauthority.com/blog/privacy-vs-secrecy
This is why I am less than interested in using (unencrypted) RCS, and why I think sharing an Apple ID can be bad, and why I am skeptical about first-few-hops VPNs, among other related concerns. Metadata is immensely valuable, and the actual chat data and email data, more so. And the vendors that want that data will expend immense sums to collect it.
Lawrence Finch wrote:
…SS7 can be eavesdropped with an inexpensive monitoring device, because it was never intended to be used to carry outside messages; it’s purpose is to permit signaling between carriers to set up phone calls, and thus it was assumed it would “always” be internal to carrier’s networks…
Having tapped directly into a switch (with the explicit permission of the switch owner) using SS7 via T1, E1, and faster, all sorts of mayhem is entirely possible.
SS7 mayhem has been the foundation for multiple service breaches, as well.
As for the thread, SMS is absolutely not secure.
Citations:
… https://www.dekra.com/en/exploring-sms-security-download/
Bog-standard RCS is little better, absent add-on encryption.
brunes007 wrote:
There is a very good reason RCS does not have E2E by default, and it is political. RCS is not a Google standard, it is a GSMA standard - Google donated RCS to GSMA to take it through the standards track. GSMA is *global*, and every telephone company on planet earth is a member. Many telephone companies are simply not allowed to offer E2E encryption to their customers because it is illegal in their country. Having any notion of E2E built-into RCS, would then make it unpalatable as an international standard. That is why it isn't there - it isn't because of some grand conspiracy.
A brief history of Google and chat, including RCS:
In that, see the sections “Google & RCS (2019)—So we found this dusty old messaging standard in a closet...” and “RCS is bad, and anyone who likes it should feel bad“, among others.
GSMA encryption algorithms for connection security: https://www.gsma.com/security/security-algorithms/
Psalmboy wrote:
I agree, as user of both platforms, I believe this will benefit IOS more than Android, as it is more secured to send messages to everyone in your phonebook
I’m unaware of a statement around whether the Apple RCS implementation will be encrypted.
Fosset wrote:
Ecosystem lock. Incorporating it gets rid of one of the barriers parents with iPhone's have when considering purchasing an android phone for their kid over an iPhone, as well as makes it easier for iPhone users to switch to android as iMessages is one of the big advantages of owning an iPhone. With a feature similar to iMessages on all devices, for all devices, people are more likely to considering switching
You seem to be new to this thread; it would be helpful if you read the rest of the thread. For every complex problem there is a simple solution, and it’s wrong. And your suggestion falls into the wrong category.
The security of one-on-one and group chats which involve only other iMessage users will be unaffected by this change.
The security of one-on-one and group chats which involve any mix of RCS users and one or more iMessage will not be any worse than it was before the change. Apple has said that they will not incorporate any nonstandard features which aren't mandated by the Universal Profile; therefore it follows that Google's end-to-end encryption feature will be absent. However, point-to-point encryption (using TLS) will be used for the connection from your handset to the RCS server. This, at least, is more than what's currently done when messages are sent using SMS.
The net effect will be, that it will not be practical for 3rd parties sniffing packets over the air to intercept the content of your RCS messages the way it would have been possible to do with legacy SMS/MMS. However, the RCS server itself will still have access to the message's full text as it undoes the sender-to-server encryption, and then re-wraps it up in the server-to-receiver encryption.
Apple has committed to working with the GSMA to improve future revisions of the Universal Profile specification. This could potentially include providing a standardized implementation of end-to-end encryption as well. Only time will tell.
This assumes, by the way, that the iPhone itself will gain the ability to talk directly to your carrier's RCS server. (Or, it might fall back to using some carrier-agnostic server in the case that your carrier doesn't operate its own server.) That assumption introduces some very real usability use cases which could make the whole system even more fragile than the MMS/SMS fallback that exists today: For example, what happens if your group chat includes a mix of some RCS users, some "new" iPhone users, and some "old" iPhone users? (Presumably the new Messages app with RCS compatibility will not be rolled out to obsolete iOS versions.)
This sort of use case would be much better served if Apple added RCS compatibility by way of federating in the back-end server: The Messages app continues to talk exclusively using the iMessage protocol to the iMessage server; and then the iMessage server takes responsibility for relaying messages to/from the relevant RCS service provider(s) on an as-needed basis.
But at this stage, we really don't have any definitive indication of exactly how Apple will end up implementing this.
Thank you Luke Morrison for an interesting analysis.
One other issue is that some countries have objected to RCS end-to-end encryption as a standard, because it would prevent governments from spying on its citizens. Of course, that horse has already left the barn with whatsApp, FB messenger, Signal and Telegram. And a few others.
Absolutely not. In fact it will enhance it when communicating with Android users. Although chats won't be encrypted end-to-end, they will be encrypted from device to server. Anything Apple says otherwise is just FUD.
The whole thing is a non-issue for me. I have no problem communicating with people who have Androids. No one I know seems to have blue-bubble envy. I do admit to a certain fascination with the discussion.
I transfer all of my truly private information on flash paper through dead drops. ;-)
I don’t trust Google
Incorporating RCS messaging for Android on iPhone can compromise my security?
