RCS—or “Rich Communication Services”—is a new standard in mobile communications functioning as an extension to the classic SMS. RCS is sent via mobile data connections or WLAN, raising potential security concerns. So, how secure is RCS?
Which encryption does RCS use?
First things first: RCS security measures are stronger than those for text messages, and in many cases end-to-end encryption is now offered as well. However, how good the security measures are depends on the device manufacturers and mobile phone providers offering the service.
The original standard, which was developed by the mobile communications association GSMA, does not yet provide for end-to-end encryption. The association sees this further development as the next milestone in the communication between devices from different manufacturers, as announced in its press release “RCS Now in iOS: a New Chapter for Mobile Messaging” in September 2024.
RCS is available on Apple devices from iOS 18, but is currently without end-to-end encryption. On Android devices, the Google Message app is now used for RCS by default. Google Support explains the encryption in this app as follows: End-to-end encryption is used; if this is not available, the messages are protected by TLS (Transport Layer Security) encryption. The data sent is temporarily stored in Google’s RCS infrastructure in the queue (with random, unpredictable URLs) and deleted after delivery. If RCS is not available, the RCS message is deleted from the queue.
Security for RCS Business Messaging (RBM)
RCS Business Messaging (RBM) offers the same framework as RCS, but provides additional security by focusing on the verification of companies—thus strengthening customer trust and preventing spam. “Verification is carried out via mobile network providers, third-party verification providers, and Google itself,” explains Anton Chmelar, Director of Sales & Procurement at iBASIS Austria. In addition, when offering both RCS and SMS, companies must obtain explicit consent from customers that they wish to receive messages, and there must also be a clearly recognizable opt-out option. The companies sending the messages are responsible for making sure that they are sent in compliance with the GDPR.
Conclusion: RCS security is constantly increasing
Despite the fact that the original RCS standard did not include end-to-end encryption, there are now clear efforts to make the service as secure as possible for customers. Major players such as Google are leading the way by providing end-to-end encryption in their messenger apps. It is also important to keep in mind additional GDPR security requirements such as data protection regulations.