Your cart is currently empty!
-
SMS, RCS, iMessage, and Private Messaging Services Compared
The safest way to send a text might surprise you.
SMS (Short Message Service) has been around since 1992 and MMS (Multimedia Messaging Service), the extension to SMS allowing longer texts and media to be sent, came out in 2002. Both didn’t really take off until cell phones with full keyboards became mainstream in 2005. Once Apple popularized the smartphone in 2007 the need for more advanced messaging than what SMS and MMS could provide became clear. Facing tough competition from Android phones such as the Samsung Galaxy S2, Apple capitalized on this need by releasing iMessage in 2011.
SMS/MMS runs over the cell network and it is available even if an internet connection is not. When sending an SMS/MMS message it goes to a cell tower over an encrypted connection. From the cell tower the encrypted signal is decrypted and your cell carrier and their SMS routing companies handle the message to get it to where it needs to go. When it finds the destination phone it is then sent to their device over an encrypted connection from the destination device’s nearest cell tower. SMS/MMS is insecure because wherever the message goes between the sending cell tower and the receiving cell tower the message is unencrypted, leaving it exposed to nosy carriers and SMS routing companies. This also makes your messages vulnerable to IMSI-catchers. These are devices hackers can use to mimic cell towers and trick your phone into connecting to them, leaving your texts available for them to read in plain text. These devices are often used by governments and law enforcement to spy on individuals without having to send subpoenas to tech companies first.
iMessage is an Apple exclusive messaging app that adds a layer of functionality on top of SMS/MMS that runs on a WiFi or Data connection. When sending messages between two phones that have iMessage the full iMessage functionality can be utilized. Because the iMessage layer runs on data if one of the two phones doesn’t have a data or WiFi connection while the message is being sent, the message defaults back to being sent as an SMS/MMS message with limited functionality. Because iMessage isn’t available for Android, this is the default behavior when iPhones are messaging Android phones.
Apple claims iMessage messages are end-to-end encrypted meaning not even Apple can read the messages you send. That being said iMessage is a closed protocol and the iMessage app itself is closed source so we just kind of have to take Apple’s word for it.
Android phones didn’t get a similar feature until the RCS Universal Profile was published in 2016. RCS (Rich Communication Services) is a layer, like iMessage, that runs on top of SMS/MMS. It functions similarly and runs over a data connection, defaulting to SMS/MMS when that data connection is unavailable for either device. RCS was available for quite some time before the Universal Profile was introduced but before then it really only benefited people messaging each other from the same client. The Universal Profile allows RCS to be used between two different clients as long as they support the standard. For example now Google Messages users can send RCS messages to Samsung Messages users because both apps support the RCS Universal Profile. Because RCS is an open protocol Apple could easily add support for it in iMessage but so far they haven’t. Currently when an Android RCS user sends a message to an iPhone user, it defaults back to SMS/MMS.
RCS Universal Profile routes traffic over the internet through servers normally operated by the creators of the RCS clients (Google, Samsung, cell carriers, etc.). RCS runs over an encrypted TLS connection to an RCS server where it is then decrypted as the RCS server finds where it needs to go. The message is then sent to the RCS server being used by the message receiver where it is then sent to their phone over an encrypted TLS connection. As you can see RCS has the same problem SMS does. Although it is not vulnerable to IMSI-catcher attacks, your unencrypted data still travels through servers operated by many different companies. Google recently enabled end-to-end encryption for RCS messages in the Google Messages app but this only works when two people using Google Messages message each other. Like iMessage, Google Messages and the end-to-end encryption Google claims it has are closed source so we just have to take their word for it.
So what is more secure? SMS/MMS, iMessage, or RCS?
- iMessage is probably the most secure of these methods as it is time tested and a lot of people use it, at least in the US, meaning it won’t default back to using SMS/MMS as often. The main drawback is that you have to trust Apple.
- RCS with Google Messages comes in second because it isn’t yet time tested and less people use it than iMessage, meaning it defaults back to SMS/MMS more often. You also have to trust Google.
- I’m going to put RCS in third because while you still have to put your message in the hands of multiple companies, at least it isn’t vulnerable to IMSI-catchers.
- SMS/MMS is the least secure method of messaging because your message must go through multiple companies and it is also vulnerable to IMSI-catchers.
Please note that this article doesn’t take into account messaging backup methods such as iCloud or Google Backups, that is a topic for another day.
Even though iMessage came out on top there are more secure alternatives out there. Unfortunately they aren’t as popular.
Signal is the most popular open source cross-platform end-to-end encrypted messaging service. Because it is open source you don’t have to trust the word of a company to know for sure that it is end-to-end encrypted because you can see the source code. The Signal app can even replace your default messaging app as it can send and receive SMS/MMS messages. The only drawback with Signal is that it is centralized meaning the server is vulnerable to being influenced or blocked by governments and ISPs.
Matrix is another popular open source cross-platform end-to-end encrypted messaging service. While Signal focuses more on 1:1 messaging, Matrix acts more as a replacement for Discord, a massively popular closed source messaging app focused on communities. The main benefit to using Matrix over Signal is that it is decentralized and anyone can host a Matrix server. The many Matrix servers can talk to each other. This means you can simultaneously host your own Matrix server and message people who are using other Matrix servers. Because it’s decentralized it is more difficult for governments or ISPs to influence or block it. It also features various bridges including some SMS bridges that allow you to bring messaging across many different platforms together in one place. The only downside to Matrix I can see at the moment is that while there are many different client apps for Matrix they feel overall less polished than Signal’s apps and less people use the protocol in general.
So what will I be using? I don’t think just because not many people use Signal or Matrix at the moment means that we shouldn’t have them installed. Lets push our friends and family to be more private by encouraging them to use these secure messaging apps. Personally I’ll be using Google Messages, with trackers stripped from it using App Warden and permissions limited, alongside Signal and Matrix. This will give me end-to-end encryption while chatting with others who use Google Messages (if Google isn’t lying) and IMSI-catcher invulnerability when messaging users of other RCS apps. And Signal and Matrix will always be there for me to shill when I’m having a conversation with someone who sounds interested in privacy.