Messaging via RCS: more security for everyone thanks to Universal Profile 3.0

Google has been trying for years to establish the Rich Communication Standard, or RCS for short, as a cross-platform SMS successor. Most recently, it looked like it might succeed: Since iOS 18.2, Apple has finally incorporated the service into its iMessage app, which is the default messenger on the iPhone. The problem: at the moment, sending between the devices – i.e. Android and iPhone – is still unencrypted, meaning it is sometimes just as insecure as SMS. This is only set to change with iOS 19 – in fall 2025 at the earliest –.

Between Google devices, on the other hand, RCS has been encrypted for some time when using the Android standard messenger. But now the GSM Association (GSMA), the association of mobile network operators, wants to remedy the situation: The new RCS Universal Profile 3.0 promises to implement encryption for the messaging service in its entirety, regardless of whether it is a stock Android, a customized Android or even an iPhone, as long as the profile is supported.

Hopefully active by default

The GSMA RCS Universal Profile 3.0 specifications have been officially released this month. "The biggest step forward in this latest release is that it includes the requirements and user experience for end-to-end encryption of RCS messages," writes the organization, which is aware of the importance. "This includes not only the encryption itself and the control users have over it, but also side effects such as the need for improved client-side spam detection and handling."

In contrast to iMessage, which enforces encryption, RCS encryption can be switched off – It remains to be seen whether it will also have to be actively switched on, as is (unfortunately) already the case with other messengers. That would be unfortunate because many users would then continue to use the service unencrypted despite the technical ability to secure it. It is also possible that the security in a group chat will be downgraded from encrypted to unencrypted if a member invites a person without active encryption. Text typing indicators, i.e. the indication that a user is typing something, are not encrypted at all.

MLS instead of TLS and IPSec

The encryption standard used by RCS Universal Profile 3.0 is called Messaging Layer Security, or MLS for short. Among other things, it allows forward secrecy, a check of the integrity of a message and is already used by Google for its in-house RCS encryption. The idea is to have a uniform standard, similar to the TLS web encryption protocol. However, Apple will only use MLS for communication with RCS counterparts; for internal iMessage encryption, the company continues to make a soup for its own taste, to which PQ3 should also be added recently.

Work on RCS Universal Profile 3.0 had already begun in 2022, when an initial definition document was also published. "The transactions of the user network interface should always be encrypted to prevent interception of the user's personal communication in the various access and transit networks," it states as the goal. At that time, however, the intention was still to rely on TLS and IPsec. Meanwhile, the British government, which has just tried to force Apple to provide a backdoor in iCloud, will probably not like RCS encryption at all.

The implementation of RCS encryption could one day finally spell the end of text messages – or at least their insecure use. Text messages are fundamentally unencrypted and it has long been discouraged to use them for two-factor authentication (2FA) procedures, even if Apple itself still uses the technology as a fallback. It remains unclear whether SIM card hijacking with encrypted RCS messages will still be possible, as we know it from SMS: attackers "hijack" the victim's phone number via the mobile provider (via (e-)SIM swap) and then have 2FA codes sent to it. RCS Universal Profile 3.0 also promises other interesting new features. These include the ability to subsequently edit sent messages and undo the sending process. Tapback with any emojis and images is also planned.

(olb)