RCS security: Your questions, answered

“Is RCS secure?” “How useful is it?” “Is RCS a good thing?” “Is it really secure?”

If you’ve done any Google or Reddit search on the security of Rich Communication Services (RCS) messaging lately, you’ve likely come across these questions. With Apple support for RCS being rolled out and its enhanced interactivity compared to SMS, RCS is transforming how we communicate. And now, with Apple committing to end-to-end encryption for RCS in an upcoming iOS update, the conversation around security is evolving.

We sat down for a Q&A with Miriam Liszewski, RCS Commercial Product Manager at Sinch, who has over four years of experience from Google shaping RCS for Business (previously called “RBM”) strategies. We asked Miriam all about the security of RCS messaging and asked her to address some of the most common questions about its benefits and limitations.

Miriam Liszewski: At a high level, RCS offers a richer messaging experience than SMS – and this includes its more robust security measures. This includes measures like encryption in transit (i.e., the encryption of data as it moves between a user’s device and services) and end-to-end encryption in some cases. This ensures that messages remain secure as they travel over networks.  

This verification process helps prevent spam and phishing attacks which are common in traditional SMS.

ML: Currently, RCS supports end-to-end encryption (E2EE) for person-to-person (P2P) messaging under specific conditions. For this to work, both users must be on RCS-compatible devices, like two Androids using Google Messages. RCS chats that are end-to-end encrypted have a few visual indications.

But this isn’t a standard feature across all implementations of RCS, including for business messaging. And that’s because the RCS Universal Profile, which is today’s industry standard for RCS, didn’t historically have E2EE as one of its requirements. That is, until recently.

The RCS Universal Profile 3.0, which was only released in March 2025, now includes E2EE as a core feature.

While Apple hasn’t provided an exact timeline, it has confirmed that end-to-end encrypted RCS messaging will be available in a future iOS update. According to Tom Van Pelt, the Technical Director at GSMA, this would make RCS the “first large-scale messaging service to support interoperable E2EE between client implementations from different providers.”

ML: Apple’s recent announcement that it will add E2EE for RCS in a future iOS update marks a major security advancement. This means that, after E2EE is implemented, RCS chats between iPhones and Android devices will have an additional layer of protection, bringing RCS security more in line with over-the-top (OTT) apps like WhatsApp or iMessage.

We also know that messages are encrypted in transit when they’re transmitted by Google.

ML: The data flow and architecture for an RCS for Business message follows a multi-step path. Let me break it down:

1. A verified brand creates and sends an RCS message.
2. The message is encrypted between the sender’s agent and the RCS for Business platform, either directly or via an aggregator.
3. When the message reaches Google’s RCS for Business platform, the message is scanned for compliance with terms of service (e.g., for malware and spam).
4. All messages are encrypted in transit between the RCS for Business platform to end users.

Google says that messages stored on their own servers are encrypted at rest so that they can be synced across the end user’s devices (if they have a few different phones, for example). Stored messages can only be accessed with the end user’s Google ID, except when flagged as spam or required by law. For more details, including how long different messages are stored on different devices, see Google’s resource on data security.

For more information about how RCS works and exactly how messages are sent and delivered, check out our resource.

ML: A user can opt in to receive RCS messages in the same way they might opt in to receive other business messages, like SMS. They can give their consent through checking a consent box on a form, for example, but, of course, this differs regionally. For example, in the U.S., there are strict rules around what’s considered an opt-in and explicit consent, but other countries might not have the same requirements.  

The same thing applies for opting out of receiving RCS messages. If a user replies “STOP,” or requests to take their name off a list, a business needs to stop contacting them. Businesses must support these opt-out requests, and Google requires businesses to provide confirmation that opt-in consent has been obtained and that opt-out options are available.

ML: RCS has built-in mechanisms to combat spam, primarily through its verification process for businesses.

This verification process means the user can rest assured that the branded RCS messages they’re receiving are from a legitimate business. Because businesses can’t send messages from a branded agent unless they’ve first been verified, this cuts down on spam and builds trust with the user.

It’s worth noting that Google has prioritized spam detection in RCS to maintain it as a trusted channel. During a panel discussion at Mobile World Congress (MWC) this year, Josh Pepper, Google’s Head of Product for RCS for Business, emphasized Google’s commitment to security. He highlighted that Google is using insights from its Gmail spam protection teams to enhance RCS security and minimize unwanted messages.

_{Hugh Haley, Head of Partners, and Robert Gerstmann, Chief Evangelist and Co-founder at Sinch, discuss how RCS helps brands protect their customers against scams and fraud.}

ML: It varies by region, but this process involves multiple parties like carriers, third-party verification services, and Google itself.

In any case, businesses must apply to be verified when they launch their RCS Agent. They need to submit identification and business information, and then their application is reviewed to ensure they meet the criteria to send RCS messages. Verifying a business involves confirming they’re a legitimate business and that they’ll adhere to industry regulations.

The time it takes to process a business’ verification request can vary. It often takes just a few days but, in some cases, can take longer.

ML: Again, depending on the region, it will be between Google and the carriers in the region. 

Once the verification process is approved, the business is granted a “verified” status on their verified sender profile which is reflected in the messages users receive.

ML: If you look at how Google addresses this question, you can see that their expectation is that all brands and aggregators comply with local laws and adhere to data security regulations like GDPR and supply a privacy policy that clarifies how they use and/or share end user data. Google says it complies with GDPR. 

When it comes to security, RCS offers enhanced features and security measures compared to traditional SMS, including encryption in transit and with verified business profiles. And with Apple’s commitment to E2EE in a future version of iOS, this is paving the way for more secure and trusted business messaging solutions in the future.

For businesses, adopting a secure messaging channel like RCS is a smart first step toward building trust with your customers. But security doesn’t stop there! It’s crucial to stay informed, consult with your team, and ensure your messaging practices comply with the legal requirements in all the regions you’re operating in.  

Partnering with a provider like Sinch can simplify this journey, offering expert guidance as you implement RCS. Ready to get started? Reach out to our team today.  

Or, if you need help making the case for RCS within your organization, download our comprehensive guide to building a business case for RCS.

​