RCS concerns

groove_untie145

I’ve been looking into RCS and it's whole E2EE, and I have some concerns I’d like to get feedback and potentially learn from this. I am not trying to say this is backdoored. I am just trying to learn..

From what I understand, Google uses the Signal Protocol for E2EE in RCS messages, the implementation in Google Messages isn’t open-source. So you can’t independently verify how it’s actually implemented in practice, which raises red flags for me. There are just so many moving parts, and it feels like we’re being asked to trust Google & Apple to handle everything securely within closed-source software.

Messages are relayed through Google’s & Apple’s servers, does this create a significant trust issue? Even if the encryption is solid, could poor implementation or server-side vulnerabilities undermine it? The UK for example have tried to backdoor Signal, approached both What's app and Signal to do this, they have publicly said they refused. (references Investigatory Powers Act 2016, Recent Demand on Apple (2025))

Are there any independent audits or technical guarantees that prove neither company has access to the encryption keys or message content? Or is this just something we have to take on faith?
Would love to hear others thoughts on this.... Is RCS encryption truly trustworthy for those of us who care about verified security and privacy, or is it more of a “better than nothing” situation?

de0u

groove_untie145 There are just so many moving parts, and it feels like we’re being asked to trust Google & Apple to handle everything securely within closed-source software.

Agreed.

In some sense the bottom line is that the messages are displayed on device screens by closed-source apps, so those apps must be able to decrypt the messages. Even if written with the best intent, there might be bugs.

Meanwhile, it appears that on Verizon the Google Messages app requires the ability to read hardware identifiers, presumably because Verizon has some notions about people faking RCS origins.

Overall it seems to me like it might end up similar to WhatsApp: a small number of large companies get to know who is sending messages when to whom, and there is some sort of encryption happening, but overall security and privacy depend on a lot of closed-source code.

andrej567

groove_untie145 I thought i will wait until an open source RCS app will appear, but I don't think it will happen, soon or ever. It would be most probably a separate system, some FOSS rcs, compared to google RCS. I don't think the relaying would work between google clients, apple messages and the opensource thing; not because of technical difficulties but because of company politics. I don't think the google rcs is more trustworthy than for using it to send messages like "buy bread and milk on the way home"