RCS security: Your questions, answered

“Is RCS secure?” “How useful is it?” “Is RCS a good thing?” “Is it really secure?”

Do any initial Google or Reddit search on the security of Rich Communication Services (RCS) messaging and you’re bound to see these questions pop up. With Apple support for RCS being rolled out and its enhanced interactivity compared to SMS, RCS is transforming how we communicate. But with all this change, it’s natural to ask if RCS can deliver the security we need, especially for business communications.

Well, we've got answers for you.

We sat down for a Q&A with Miriam Liszewski, RCS Commercial Product Manager at Sinch, who has over four years of experience from Google shaping RCS Business Messaging (RBM) strategies. We asked Miriam all about the security of RCS messaging and asked her to address some of the most common questions about its benefits and limitations.

Q: Give us a high-level overview of RCS security measures. Do these apply to RCS Business Messaging (RBM) as well?

Miriam Liszewski: At a high level, RCS offers a richer messaging experience than SMS – and this includes its more robust security measures. This includes measures like encryption in transit (i.e., the encryption of data as it moves between a user’s device and services) and end-to-end encryption in some cases. This ensures that messages remain secure as they travel over networks.  

RCS Business Messaging (also known as RBM) shares the same security framework as RCS, but RBM also includes an additional layer of protection focused on business verification, which helps establish trust between businesses and consumers.

This verification process helps prevent spam and phishing attacks which are common in traditional SMS.

Q: Does RCS have end-to-end encryption?

ML: Currently, RCS supports end-to-end encryption (E2EE) for person-to-person (P2P) messaging under specific conditions. For this to work, both users must be on RCS-compatible devices, like two Androids using Google Messages. RCS chats that are end-to-end encrypted have a few visual indications.

But this isn’t a standard feature across all implementations of RCS, including for business messaging. And that’s because the RCS Universal Profile, which is today’s industry standard for RBM, doesn’t have E2EE as one of its requirements. There are ongoing efforts to change this, especially with Apple now supporting RCS in iOS 18.

Q: What do we know about end-to-end encryption of RCS between Android and iPhones with iOS 18, if anything?

ML: Not much, yet. We know that the Universal Profile doesn’t have end-to-end encryption built in, but Apple has expressed interest in updating this to include E2EE. If this happens, it could mark a significant shift in how RCS is used across platforms.  

And we also know that messages are encrypted in transit when they’re transmitted by Google.

Q: Tell us about “encrypted in transit.” Can you explain encryption when it comes to a business’ RCS messages?

ML: The data flow and architecture for RCS business messaging follows a multi-step path. Let me break it down:  

1. A verified brand creates and sends an RBM message.

2. The message is encrypted between the sender’s agent and the RBM platform, either directly or via an aggregator.  

3. When the message reaches Google’s RBM platform, the message is scanned for compliance with terms of service (e.g., for malware and spam).  

4. All messages are encrypted in transit between the RBM platform to end users.  

Google says that messages stored on their own servers are encrypted at rest so that they can be synced across the end user’s devices (if they have a few different phones, for example). Stored messages can only be accessed with the end user’s Google ID, except when flagged as spam or required by law. For more details, including how long different messages are stored on different devices, see Google’s resource on data security.

Q: How does a user opt in to receive RCS messages from a business? How do they opt out?

ML: A user can opt in to receive RCS messages in the same way they might opt in to receive other business messages, like SMS. They can give their consent through checking a consent box on a form, for example, but, of course, this differs regionally. For example, in the U.S., there are strict rules around what's considered an opt-in and explicit consent, but other countries might not have the same requirements.  

The same thing applies for opting out of receiving RCS messages. If a user replies “STOP,” or requests to take their name off a list, a business needs to stop contacting them. Businesses must support these opt-out requests, and Google requires businesses to provide confirmation that opt-in consent has been obtained and that opt-out options are available.

Q: How does RCS help with spam? 

ML: RBM has built-in mechanisms to combat spam, primarily through its verification process for businesses.

Only verified businesses can send branded RCS messages, which helps make sure that users aren’t sent fraudulent messages.

This verification process means the user can rest assured that the branded RCS messages they’re receiving are from a legitimate business. Because businesses can’t send messages from a branded agent unless they’ve first been verified, this cuts down on spam and builds trust with the user.

Q: What is the process for a business getting verified to send RCS? Who is involved in the decision-making process?

ML: It varies by region, but this process involves multiple parties like carriers, third-party verification services, and Google itself.

In any case, businesses must apply to be verified when they launch their RCS agent. They need to submit identification and business information, and then their application is reviewed to ensure they meet the criteria to send RCS messages. Verifying a business involves confirming they’re a legitimate business and that they’ll adhere to industry regulations.

The time it takes to process a business’ verification request can vary. It often takes just a few days but, in some cases, can take longer.

Q: Who assigns the “verified” status and is it trustworthy?

ML: Again, depending on the region, it will be between Google and the carriers in the region. 

Once the verification process is approved, the business is granted a “verified” status on their verified sender profile which is reflected in the messages users receive.

The verification process ensures that businesses are legitimate, making it in their best interest to provide accurate information during verification.

Q: Is RCS GDPR compliant?

ML: If you look at how Google addresses this question, you can see that their expectation is that all brands and aggregators comply with local laws and adhere to data security regulations like GDPR and supply a privacy policy that clarifies how they use and/or share end user data. Google says it complies with GDPR. 

The responsibility for ensuring GDPR compliance falls on the business sending messages, so we recommend speaking to your own team to figure out your business’ own unique circumstances before getting started with any new messaging program.

Wrapping up: What to know about RCS security

When it comes to security, RCS and RBM offer enhanced features and security measures compared to traditional SMS, including encryption in transit and with verified business profiles. This provides users a more trustworthy messaging experience which promises to only get better as RCS continues to develop.  

For businesses, adopting a secure messaging channel like RCS is a smart first step toward building trust with your customers. But security doesn’t stop there! It’s crucial to stay informed, consult with your team, and ensure your messaging practices comply with the legal requirements in all the regions you’re operating in.  

Partnering with a provider like Sinch can simplify this journey, offering expert guidance as you implement RCS. Ready to get started? Reach out to our team today.  

Or, if you need help making the case for RCS within your organization, download our comprehensive guide to building a business case for RCS.