RCS vs iMessage: The REAL Problem of Privacy
I have a confession to make! Actually, I think of it more of a badge of honor. For I am a green bubble. I send those green bubble text messages to my family of iphone users with pride. And now I have another reason to convert my iphone-lovin’ fam over to android. RCS is getting more and more secure. MWAHAHAHA. Ok, jokes aside, here’s what’s going on.
Although I’ve never experienced it first hand, apparently there’s a riff between blue bubbles - iMessage users on iphones, and green bubbles - literally the rest of the world. I’ve never been judged at least to my face, by any iMessage users. Maybe it’s because everyone I surround myself with are pretty mature folks (when it matters), so we don’t really care if you use iMessages or Google Messages. As long as we can text back and forth, we’re good!
But some people do judge others based on the color of their… message. Is it a perceived bias about financial status? Are Androids perceived as “cheap” - I can tell you first hand that they are not. Or does it simply have to do with features and the lack of performance when texting someone on the other side of the smartphone ecosystem?
There are truly some limitations. This is because iMessage and Google Messages use different protocols and they don’t communicate well with each other. For example, if someone sends a message from one iphone to another iphone using iMessage, both of those users get end to end encryption, read receipts, high res photos and videos, reaction emojis, and more.
If an android user sends another android user a message using Google Messages, both of those devices also get end to end encryption, high res photos, read receipts, etc. iMessages get sent via Apple’s messaging protocol, and Google Messages get sent as Google’s form of RCS, or Rich Communication Service protocol. Both of these protocols work great, but only when they’re being used to communicate with someone using the same protocol.
This is why if you text someone on another platform, you don’t see read receipts, your photos or videos get sent in low resolution, you see their reactions as “jenny laughed at an image” rather than just seeing their emoji reaction, and your text color is different.
Unfortunately, Apple has point blank said they won’t be adopting the RCS protocol. They don’t want to make it easier (or more secure) for you to text your Android fam - they just want everyone to buy iPhones. I’m not even kidding. This is literally what Tim Cook has stated.
In my opinion, this refusal to adopt a protocol that Apple has been invited to use is anti-privacy. Because - this is the important bit - every time you send someone a message from an iphone and they’re on android or vice versa - every single one of those messages is not encrypted. It is downgraded to SMS / MMS which is widely used, but old and can be intercepted. This is also why all of those high tech features get downgraded too - photos look like potatoes and so on. This is the same reason why we in the security community recommend upgrading your two factor authentication to an app or hardware key (I’ve done videos on these if you want more information). Because 2FA codes are sent via SMS, and SMS is vulnerable.
The only way you can get around this issue right now is by using a third party app like Signal - but both you and the receiver have to have that app installed in order for those messages to be encrypted, and Signal doesn’t even support SMS anymore so you’d still need a different app to send messages cross platform. But that way you can get encrypted messages from an iphone to an android and vice versa.
However, it’s HARD to get people to use a third party app for anything, especially when you’re so engrained in an ecosystem. It’s hard to give up using iMessage or Google Messages.
But Android devices are headed in a more secure direction, with this month being a big deal for security and privacy fans, and this news is a long time comin!
I’m assuming if you’ve watching this far, you worry about your privacy.
If so, you're not alone. In today's digital world, our personal information is constantly being collected and shared. Sometimes, it’s pretty creepy: Have you ever seen an ad for something you’ve never mentioned online? Sometimes, it’s convenient: Our smoker grill just died, and my husband was seeing ads for new ones hours later. Creepy, but apparently there was a sale going on, so useful??? You may not be actively typing this information into websites, but websites use sets of data about you to create a profile picture of who you are. They know we have a smoker because we buy pellets for it. Our information is more vulnerable than ever before.
That's why it's so important to take steps to protect our privacy. One way to do this is to use DeleteMe. DeleteMe is a service that helps you remove your personal information from the internet. They create a first line of defense by sending requests to websites and data brokers to remove your information. You don’t have to lift a finger, everything happens through DeleteMe, and they send you a report every quarter showing their results.
I’ve used DeleteMe for years, they’ve given me very positive results, and they keep adding new sites to their list of offenders. They keep tabs on my info so that I don’t have to. And anytime they see it pop up on sites like Spokeo or PeopleFinder or any of those people search databases, they send the opt out requests for me.
Use the code SNUBS at checkout - that’s S N U B S - for 20% off any of the consumer plans. or just click the link below or hit up JoinDeleteMe.com/MorseCode to sign up today and that code will automatically apply at checkout! Sign up now and safeguard your personal information today!
Huge thank you to DeleteMe for sponsoring this episode.
Back in April, Google announced that they were rolling out End to End Encryption for RCS group chats. While E2EE was available for 1 on 1 convos for quite some time, this was a big deal.
Shortly after this, in July, Google announced they’re rolling out Messaging Layer Security or MLS adoption. That means Google Messages will now support end to end encryption across any platform and third party apps that also support MLS. MLS support can improve upon group messaging privacy, because everyone could receive secure messages from a group text on their own MLS-friendly app of choice. Since this can be implemented across many different apps and platforms, Google is also open sourcing their implementation in the Android codebase. Hopefully this means a rollout will ensure more end to end encryption options whether your friend is using Google Messages or some other app on their own Android device. But this is just on Androids.
Now, for the geeks, this is MLS Specification RFC 9420 if you wanna look it up.
And just this month, Google announced that all RCS conversations in Messages are now encrypted by default. That includes group chats. RCS is now enabled by default for new and existing users too, unless it was turned off by the user for some reason in the settings.
How can you check if RCS is enabled? Open your Google Messages app, click on your photo icon, click messages settings, then click RCS chats at the top. This will show you if it’s enabled and you can turn it on from this page.
From a conversation, you can click the hamburger icon, click details, then see the status of a specific convo right at the top.
You’ll notice that any companies that send you text messages about deliveries, 2FA security codes, or login requests are not sent encrypted - those are just sent via SMS aka “texting”. So a big takeaway is to again - upgrade your 2FA to app based or hardware keys and also - be skeptical and cautious of any messages that are sent via SMS - this is a big way phishing and credential stealing can happen if by attackers sending you a text, pretending to be a company, and getting you to click on a link to a malicious site.
With these steps in the right direction to help users keep their messages private and confidential, we can see how fluid and convenient that security can be. Sure, some folks may have a need for a third party app for encryption and don’t want to use Google’s app that comes preinstalled. But most folks don’t want to install another app for messaging, at least here in the US (I realize WhatsApp is popular across the pond). Anything that provides better security for an average user so they don’t even need to think about it is a positive in my book. The encryption should just happen - it shouldn’t be an optional setting you have to find and enable manually.
So, I’m quite happy being a green bubble. I don’t think we should judge others by the bubbles, but we should be criticizing brands and companies for not putting our security and privacy first. Google is certainly a big offender when it comes to using personal data for targeted ads and search, but credit where credit is due in terms of enabling default encryption and open sourcing projects for other manufacturers. Sure, they can’t force any other brand to play ball for cross platform encryption, but they have issued an olive branch and made steps to make that happen.
Do you feel the same? Do you think cross platform built in and defaulted encryption should be the norm? Sound off! And subscribe if you like deep thought analysis about security like this video. Thanks again to DeleteMe for sponsoring. Thanks for watching, bye yall.
