There’s a serious issue that impacts hundreds of millions of Android users worldwide—one that should have been flagged by the huge backlash that suddenly hit WhatsApp in January. But it wasn’t, it gets surprisingly little attention, even though it puts you and your private information at risk. Here’s what you need to know.
Great news for Android Messages users this week—you can now schedule texts to automatically send some time later, which, Google says, “will continue improving the way you communicate and help you stay in touch.” According to Google, “half a billion people across the world use Messages to seamlessly and safely connect with family, friends and others every month.” Seamlessly yes. But safely? Maybe not.
From almost nowhere, 2021 has seen a belated and welcome focus on the security and privacy—or lack thereof—with the messaging apps we all use daily. WhatsApp has been slammed for the breadth of its data collection and for its back-end links to owner Facebook. Messenger has been outed for various security and privacy infringements. And iMessage has been lauded for further advancements to protect Apple’s userbase.
One platform that has seemingly escaped such attention is Google’s Android Messages, which is surprising given those hundreds of millions of users. If you’re an Android user, then this is likely your default. If it’s not, if you’re a Samsung Messages user, then read on—these serious issues impact you in exactly the same way.
Android Messages, Samsung Messages and their equivalents are just SMS clients, now being upgraded to Rich Communication Services or RCS—basically SMS for the 21st century. If you’re a regular reader of this column, you’ll know that SMS fails dismally when it comes to securing your data. If you naturally assume that RCS will fix this issue, then think again. RCS out of the box is not that much more secure than SMS.
As Google accelerated its RCS rollout in 2019, Germany’s SRLabs warned that upgrading SMS to RCS without a security rethink “exposes most mobile users to hacking,” that RCS provisioning “is badly protected in many networks… allowing hackers to fully take over user accounts.” And Google Messages “does not implement sufficient domain and certificate validation, enabling hackers to intercept and manipulate communication through a DNS spoofing attack.”
You probably already have the RCS “chat” update to your Android Messages app, or you may have the functionality on Samsung’s own platform. Any use of Google’s messaging app can move to RCS, given that it’s underpinned by a Google platform which is separate to your carrier. Samsung’s rollout is patchier, but if you don’t have it yet, it’s on the way. It’s easy to tell if you have RCS on your phone—it unlocks richer features than SMS. But while RCS might look like an iMessage or WhatsApp equivalent, it isn’t anything of the sort.
The issue is the security of your messages. You can’t have escaped the debate raging around end-to-end encryption—it has been WhatsApp’s defense against the recent backlash, after all. WhatsApp has gone further this week, warning the tens of millions of users now quitting for alternatives that “we’ve seen some of our competitors try to get away with claiming they can’t see people’s messages—if an app doesn’t offer end-to-end encryption by default that means they can read your messages.”
On the surface this is an attack on Telegram, which has infamously failed to end-to-end encrypt its messages by default, despite (ironically) claiming security as one of its primary benefits. But that same encryption criticism can equally apply to Facebook Messenger and, of course, to Android Messages (and Samsung Messages), whether or not the apps are updated to RCS. I’ve seen some tech sites suggest Android Messages as an alternative to WhatsApp, given the backlash. This is very poor advice.
Fans of Android Messages point to Google’s long-awaited addition of end-to-end encrypted to its RCS messaging platform, now in beta. But this has too many caveats to advocate its use. First, it’s only in beta—and that means you and those you chat with need to have be enrolled in the beta program to use it. More seriously, the end-to-end encryption within Android Messages is of the same limited variety as Telegram’s.
Just like Telegram, Google’s RCS end-to-end encryption only works between two individuals, no groups, and only between one device per person. This is as basic as it gets, and it doesn’t get close to the level of security offered by Apple’s iMessage or Signal or WhatsApp. The latter two are of course, both available on Android, and are much better than RCS. You can even make Signal your default messaging app.
Ahead of Google’s launch of its end-to-end encryption beta, I asked it whether any of the flagged RCS security issues had been addressed. They did not respond. Their subsequent encryption beta is too limited to resolve the issue. And where Google’s RCS shifts traffic from the network systems, its security is no better than Facebook Messenger, where your data is open to the platform.
As Google says, “chat features by Google uses Transport Layer Security (TLS) encryption to protect your messages. This means that anyone trying to intercept messages between you and Google would only be able to see encrypted, unreadable text.” Google, though, can see everything. This is the main criticism levelled at Facebook Messenger. It’s no different here.
It’s important that Android Messages users understand these differences—the debate raging over WhatsApp’s privacy (or lack thereof) has emphasized how difficult it is for many users to understand the security differences between the various apps on offer. And the idea that users may quit WhatsApp for Android or Samsung Messages is a major backward step. That said, tens of millions are reportedly flocking to Telegram, which from a security standpoint is little better. I’ve warned about this before.
Beyond encryption, there’s another reason why it’s time to quit Google’s Messages app. The WhatsApp backlash was initially triggered by Apple’s privacy labels, which forced app developers to disclose the data collected from users. It soon became clear that WhatsApp was way out of step with its peers—Signal, iMessage and Telegram.
Google is often grouped with Facebook when it comes to the world’s leading data harvesters. And while we can’t check for an Android Messages privacy label—obviously there’s no iOS app, we can look at Gmail to get a sense for Google’s data collection policies, and compare this to Apple’s equivalent. Unsurprisingly, it’s pretty awful.
So, let’s go back to WhatsApp’s warning. If your messages aren’t end-to-end encrypted, it says, that means the platform “can read your messages.” We know, for example, that Facebook reads Messenger content to monitor for policy breaches. Google can do the same, where messages travel across its RCS platform, they are encrypted between your phone and Google, but not end-to-end. And Google has the key to that encryption.
Until Google’s RCS offers end-to-end encryption by default and can provide that level of security for groups as well as 1:1 messaging, then it’s as much of a no-no as Facebook Messenger. And Samsung’s alternative is exactly the same.
So, what should you do? You should quit using these apps and opt for end-to-end encryption instead. WhatsApp is (ironically) a much better option, despite Facebook’s looming presence in the background. Otherwise, given iMessage (which has the best security architecture of all) is unavailable for Android users, you should opt for Signal, which has the best secure option with a fast growing userbase.