WhatsApp has become the dominant messaging platform, dwarfing all other contenders with the exception of its Facebook stablemate Messenger. In doing so, this hyper-scale “over-the-top” platform has also pushed legacy SMS messaging into the background, which given its limitations is no bad thing. But now the latest move from Google’s Android is likely to be WhatsApp’s sternest challenge yet.
If you haven’t caught up with RCS yet, you soon will. Rich Communication Services is a reinvention of cellular messaging, a halfway house between the SMS ecosystem run by network operators and platforms like WhatsApp and iMessage. The wide-scale RCS rollout is being driven by Google as Android’s iMessage equivalent, but it has always had one critical flaw. Until now. Maybe.
WhatsApp popularized the shift from network-based SMS to a separate messaging platform. The cross-platform app enabled users to exchange richer data, to send messages over WiFi at a time when many users still paid for each SMS sent. This was followed by groups, voice and video calls, and its now trademark end-to-end encryption. Messaging had been reinvented.
A couple of years after WhatsApp, Apple jumped into the game with iMessage—its obvious drawback, that senders and recipients had to be using iPhones, was overcome by integration with the standard SMS platform on those phones. If a recipient was not on iMessage or was offline, the message would revert to SMS.
The thinking behind RCS was to deliver a best of both worlds solution—the cross-platform ubiquity of SMS with the functionality of WhatsApp and iMessage, but built right into the core network infrastructure. And for the networks, who have lost billions in revenue to the dominant over-the-top platforms, this was an opportunity to try and pull some of this back.
The issue, though—and it’s a big one, is that the SMS infrastructure is inherently insecure, lending itself to so-called “man-in-the-middle attacks.” Messages run through network data centres, everything can be seen—security is basic at best, and you are vulnerable to local carrier interception when travelling.
I can’t stress enough how insecure SMS messaging is for anything that is sensitive, whether travelling or not. This is an archaic solution and there are multiple better options. Last November, I reported on the Chinese state-sponsored threat groups that had compromised multiple network operators to plant keyword-and user-hunting malware in the SMS centres themselves.
That same month, a German security firm warned that RCS is little better, with deployments “badly protected in many networks, allowing hackers to fully take over user accounts.” The researchers claimed that the RCS vulnerabilities include caller ID spoofing, user location tracking and message interception.
The answer, of course, is end-to-end encryption. The way this works is to remove any “man-in-the-middle” vulnerabilities by encrypting messages from endpoint to endpoint, with only the sender and recipient holding the decryption key. This level of messaging security was pushed into the mass-market by WhatsApp, and has now become a standard feature of every other decent platform.
Such is the security of this architecture, that it has prompted law enforcement agencies around the world to complain that they now cannot access a user’s messages, even with a warrant. There is no backdoor—the only option is to compromise one of the endpoints and access messages in their decrypted state. Somewhat ironically, when the U.S. National Security Agency published a recent advisory on messaging, top marks went to the platforms that encrypted this way.
You should not use a messaging platform that is not end-to-end encrypted, it really is as simple as that. And so there’s genuine reason to celebrate the news that suggests Google has taken this to heart, and plans to update RCS with this level of security. As reported by 9to5Google which has studied a leaked internal development version of Google Messages, “we’ve found that work is well under way to allow you to send end-to-end encrypted messages via RCS.”
There are, apparently, multiple references to end-to-end encryption in the code, but little more than that is yet known. One thing that would certainly be a game-changer would be some form of standardized RCS end-to-end encryption that allows secure messages to be sent outside Google Messages. We do know that, just like iMessage, this new approach will failover to SMS/MMS if a user cannot receive the encrypted variant or if bandwidth is insufficient on either end.
There are a wide-range of other unknowns, of course, as the debate around messaging encryption continues. In the U.S., the EARN-IT bill working its way through Congress is an attempt to mandate backdoors into messaging platforms, severely weakening their security layers. WhatsApp owner Facebook, it now seems, is experimenting with other forms of safety analytics that don’t involve unpicking the encryption itself. We will soon find out if that appeases critics.
This is a major development—given the combined efforts of Google and the mobile networks, RCS will be the fastest deployed messaging platform of all time. Removing the critical flaw that seriously detracts from its usability is a huge win for the billions of you who should only use it with this added protection.