Revision #1

On May 11, 2026, Apple released iOS 26.5, enabling end-to-end encrypted Rich Communication Services (RCS) messaging between iPhones and Android devices [1]. The update marks the end of a years-long gap in which every text message crossing the Android-iPhone divide traveled in plaintext — readable by carriers, intermediaries, and anyone who could access the network.

Google simultaneously rolled out support on the latest version of Google Messages [2]. Together, the two companies have closed what was arguably the largest remaining hole in consumer messaging privacy: the default channel that billions of people use when they text someone on the other platform.

But the fix took nearly a decade to arrive, and what shipped has limits that matter.

The Long Road: From RCS Launch to Encryption

RCS development began in 2007 as a carrier-backed successor to SMS [3]. The GSMA published the first Universal Profile specification in November 2016, standardizing features like read receipts, typing indicators, and high-resolution media sharing across carriers [3]. Encryption was not part of the design.

For years, the standard advanced without addressing the plaintext problem. Google adopted RCS for its Messages app and, by 2020, had implemented its own end-to-end encryption for Google Messages-to-Google Messages conversations using the Signal Protocol [4]. But this only worked when both parties used Google Messages on Android — a fraction of all conversations.

Apple's entry changed the calculus. In September 2024, the GSMA announced it was working on interoperable end-to-end encryption for the Universal Profile standard [3]. In March 2025, the GSMA published Universal Profile 3.0, which specified end-to-end encryption using the Messaging Layer Security (MLS) protocol — an IETF standard (RFC 9420) designed for group key agreement [5][6]. Apple confirmed it would support the new standard [7].

Source: GSMA, Apple, Google announcements

Data as of May 12, 2026CSV

The specification was refined through Universal Profile 3.1 in July 2025 and a dedicated E2EE Specification v2.0 in February 2026, which improved certificate handling and file transfer encryption [3]. Apple began beta testing the feature in iOS 26.4 before the general rollout in iOS 26.5 [8].

From the first Universal Profile in 2016 to working cross-platform encryption in 2026: ten years. The delays were both technical — building a standardized encryption layer that works across competing implementations from different vendors — and commercial. Apple had little business incentive to improve the Android messaging experience, as the inferior green-bubble SMS fallback reinforced iMessage lock-in [9].

Who Was Exposed: The Scale of the Plaintext Problem

To understand what this change addresses, consider the scale of unencrypted traffic that existed before it.

Approximately 22 billion text messages are sent globally per day, with 8 trillion per year [10]. In the US alone, over 1 billion RCS messages were being sent daily before encryption was available [11]. Every cross-platform message between an iPhone and Android device — previously falling back to SMS or unencrypted RCS — was readable in transit by the carriers handling it.

Source: Infobip RCS Statistics 2026

Data as of May 12, 2026CSV

RCS adoption surged after Apple added basic (unencrypted) RCS support in iOS 18. In the US, RCS penetration jumped from roughly 4-5% to 70% [11]. France went from 25% to 80%, Germany from 50% to 80% [11]. RCS business messaging traffic grew 311% globally in 2025, with 50 billion business messages sent that year [11].

The Salt Typhoon breach in late 2024 demonstrated why this plaintext exposure was not theoretical. Chinese state-linked hackers penetrated the networks of AT&T, Verizon, and Lumen Technologies, gaining access to real-time unencrypted calls and text messages [12]. The breach was severe enough that CISA and the FBI jointly urged Americans to use encrypted messaging apps [13]. Jeff Greene, CISA's Executive Assistant Director for Cybersecurity, stated in December 2024: "Encryption is your friend, whether it is on text messages or if you can use encrypted voice communications" [13].

The majority of the world's messaging traffic, however, already ran through encrypted channels before this RCS update. WhatsApp has over 2 billion users with end-to-end encryption enabled by default using the Signal Protocol [14]. iMessage encrypts conversations between Apple devices and has over 1.3 billion users [14]. The RCS E2EE change primarily affects conversations where one party uses an iPhone and the other uses Android, and where neither party has moved their conversation to WhatsApp, Signal, Telegram, or another third-party app. The exact proportion is difficult to quantify, but in the US — where iMessage dominance means many iPhone users default to the built-in Messages app — the impact is substantial.

What Is and Is Not Protected

The encryption covers message content, photos, videos, and file attachments in one-on-one RCS conversations between an iPhone running iOS 26.5 and an Android device running a compatible version of Google Messages [15]. A lock icon appears in the conversation to indicate encryption is active [1]. The encryption is on by default, with a toggle available in Settings [8].

Several significant limitations apply:

Group chats are excluded. Any RCS conversation that includes even one Android contact does not receive end-to-end encryption under the current implementation. Apple has not announced a timeline for extending encrypted RCS to group conversations [15].

Carrier support is required. Both the sender's and receiver's carriers must support the latest RCS specification. Where carrier support is absent, messages fall back to unencrypted RCS or SMS [1][8].

Metadata remains fully visible. Who messaged whom, when, how often, from which devices, and message sizes — all of this stays accessible to carriers and platform operators even after encryption is applied [15][16]. This is a structural property of RCS, not a bug in the implementation.

This metadata exposure stands in sharp contrast to Signal, which stores almost no metadata — only the date a user last connected to the service [17]. WhatsApp encrypts message content but retains more metadata, including contact lists and usage patterns, which its parent company Meta can access [17]. iMessage encrypts content between Apple devices but Apple retains some metadata, and carriers still see that a message was sent [16].

The comparison matters because metadata alone can reveal communication patterns, social networks, and behavioral information that is often as sensitive as content. As the Electronic Frontier Foundation has noted, this is a structural limit of both RCS and iMessage that no content-layer encryption update changes [9].

MLS vs. Signal Protocol: A Technical Comparison

The RCS E2EE implementation uses the Messaging Layer Security (MLS) protocol, published as IETF RFC 9420 [6]. MLS was designed for efficient asynchronous group key establishment and provides both forward secrecy — meaning an attacker who compromises current keys cannot decrypt past messages — and post-compromise security, which ensures that after a compromise, future messages become secure again once clients exchange fresh keying material [6].

MLS underwent formal security analysis during its IETF development process and supports multiple cipher suites, with the capability to add quantum-resistant algorithms in the future [18]. It has already been deployed by Cisco Webex, Wire, and Discord [18].

Signal uses its own Signal Protocol, which also provides forward secrecy through a double-ratchet mechanism and has been formally analyzed. The critical difference is not in the encryption of message content — both protocols are considered strong — but in what surrounds it.

Signal implements "sealed sender," a feature that hides the sender's identity from Signal's own servers [17]. RCS has no equivalent; sender and recipient identities are visible to the infrastructure. Signal's servers are designed to retain minimal data by policy and architecture. RCS runs through carrier infrastructure that is designed to retain routing data.

Key verification also differs. Signal allows users to verify each other's identity keys through safety numbers, providing protection against man-in-the-middle attacks. The RCS MLS implementation relies on SIM-based authentication and carrier-managed certificates [5], which means users trust their carrier's infrastructure for identity verification rather than performing direct out-of-band verification.

For sophisticated nation-state adversaries — the kind that executed Salt Typhoon — the metadata and key-management attack surfaces in RCS remain larger than in Signal. A compromised carrier could, in theory, interfere with the certificate infrastructure that underpins RCS key exchange, whereas Signal's key verification is independent of any carrier.

Law Enforcement: The Access Debate

The expansion of end-to-end encryption predictably draws opposition from law enforcement agencies worldwide.

In April 2024, European police chiefs gathered in London at a meeting hosted by the UK's National Crime Agency and issued a joint declaration calling on technology companies and governments to take action against end-to-end encryption [19]. Europol Executive Director Catherine De Bolle argued that end-to-end encryption "will prevent tech companies from seeing offending content on their platforms" and "will stop law enforcement's ability to obtain and use evidence in investigations of serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime and terrorism" [19].

In the US, the FBI has historically pushed for lawful access mechanisms in encrypted systems, though the agency's position became complicated in December 2024 when it joined CISA in recommending encrypted messaging to protect against the Salt Typhoon intrusion [13].

The law enforcement critique has a concrete basis. The National Center for Missing & Exploited Children (NCMEC) received over 36.2 million reports of suspected child sexual exploitation in 2023, with over 100 million files included [20]. These reports overwhelmingly come from platform-level scanning — the kind of detection that end-to-end encryption makes impossible. A survey of 470 law enforcement officers across 39 countries found that investigators were already overwhelmed by the volume of CSAM cases, able to pursue only the highest-risk leads [20].

Proponents of encryption argue that backdoors create vulnerabilities that are inevitably exploited by adversaries — Salt Typhoon being the most vivid recent example. The Electronic Frontier Foundation and privacy advocates maintain that weakening encryption for lawful access purposes means weakening it for everyone [21]. No proposal for exceptional access has survived technical scrutiny: the 2015 "Clipper Chip" debate, the 2016 Apple-FBI San Bernardino case, and subsequent proposals have all foundered on the same problem — there is no mathematical way to create a backdoor that only authorized parties can use [21].

The honest tension remains: encryption that protects dissidents and journalists from authoritarian surveillance also protects criminals from lawful investigation. Neither side has resolved this conflict, and the RCS E2EE rollout adds another major platform to the encrypted column without offering a new answer.

Governments Pushing Back: Backdoors and Mandates

Multiple governments retain or are pursuing legal authority to compel access to encrypted communications.

The UK's Online Safety Act, passed in 2023, empowers the government to require platforms to use approved software to scan users' messages for illegal content, with criminal penalties for non-compliance [22]. Full enforcement is expected in 2026 [22]. In September 2025, the UK government used a secret Technical Capacity Notice under the Investigatory Powers Act to demand that Apple modify iCloud to grant law enforcement access to encrypted data [22].

The EU's proposed Child Sexual Abuse Regulation (CSAR), widely known as "Chat Control," would require messaging platforms to scan private communications — including encrypted messages — for child abuse material through client-side scanning [23]. The proposal faced significant resistance: the EU Parliament voted in April 2026 to block the mandatory scanning of encrypted messages, though negotiations between Parliament, Council, and Commission continue [23].

Australia amended its Telecommunications Act to require companies to provide access to encrypted communications when served with a technical capability notice, a framework similar to the UK's [21].

In the US, multiple versions of the EARN IT Act have attempted to create liability incentives for platforms that use end-to-end encryption, though none have passed into law [21].

No country has yet moved to specifically block E2EE RCS, but the regulatory infrastructure exists in several jurisdictions to compel modifications to how encryption is implemented on their networks. Carriers, unlike app developers such as Signal, operate under telecommunications regulations that give governments more direct control.

What This Changes — and What It Doesn't

The RCS E2EE rollout is a meaningful improvement in the default security of cross-platform messaging. For the millions of people who text between iPhones and Androids using the built-in Messages app — especially in the US, where iMessage dominance means many conversations stay in the default client — their message content is now protected from carrier-level interception by default.

But the change has clear boundaries. Group chats remain unencrypted. Metadata remains exposed. The security model depends on carrier infrastructure in ways that Signal and WhatsApp do not. Business RCS messages are explicitly excluded from encryption, as platforms scan them for spam and compliance purposes [15].

The projected 3.8 billion RCS users by 2026 [11] will have stronger privacy than they did before. Whether this moves the global needle on encrypted messaging depends on behavior: users who already moved cross-platform conversations to WhatsApp or Signal have already solved this problem for themselves. The people who benefit most are those who never switched — the default users who text with whatever app came with their phone.

For them, the default just got meaningfully better. But "better than plaintext" and "as private as Signal" remain very different standards.