"We now encourage our members to leverage these new capabilities and enable more secure RCS messaging for personal and business users worldwide," Alex Sinclair, Chief Technology Officer, GSMA, said.
Apple and Google launch a cross‑platform encrypted RCS beta
On May 11 Apple announced a beta rollout of end‑to‑end encrypted (E2EE) Rich Communication Services (RCS) messaging between iPhone and Android handsets, and Google confirmed a matching Android‑side rollout. The feature is available to iPhone users on iOS 26.5 with supported carriers and to Android users on the latest version of Google Messages; availability is dependent on carrier activation. Encrypted conversations are marked with a lock icon in the chat interface, and encryption is enabled by default. Apple has said encryption will be applied over time to both new and existing RCS threads.
Built on the GSM Association's Universal Profile 3.0 and MLS
The rollout implements the GSM Association's (GMSA) RCS Universal Profile 3.0 specification, published in March 2025. That specification defined how to apply the IETF's Messaging Layer Security (MLS) protocol within the RCS standard, creating the technical path for a cross‑platform E2EE implementation between iPhone and Android devices.
What this closes: the long‑running interoperability gap
Until now, encryption protections in RCS had been limited to messages exchanged within a single client. Google Messages users previously had E2EE conversations with one another using the Signal protocol, but that protection did not extend to RCS threads with iPhone users. iMessage, Apple has noted, remains E2EE by default between Apple devices and sat on a separate stack entirely. The new RCS implementation therefore addresses a long‑standing gap: conversations that traverse the Apple/Android divide will now be encrypted end‑to‑end.
Implications for defenders and smishing operators
For information security teams, the change shifts the threat surface around mobile messaging "in two directions at once." Communications between an iPhone and an Android handset, previously transmitted with only transport‑layer protections, will now be opaque to carriers and to any party intercepting traffic in transit. The flip side is that carrier‑level content inspection becomes harder. Analysts have noted that smishing is increasingly moving toward modern messaging channels such as RCS and iMessage, and E2EE is one factor that makes operator‑level content filtering more difficult.
"Encrypted RCS is a real privacy win, and the cross‑industry work with Google and the GSMA is the harder achievement worth acknowledging," Adam Boynton, senior enterprise strategy manager at Jamf, said. "[However,] impersonation is the fastest‑growing threat on mobile. AI‑cloned voices and deepfake messages can still bypass technical checks, so we've only secured the transit of messages, not the person on either end."
How technologists, carriers, and end users will respond
- Technologists and security teams: The rollout "shifts the threat surface" for defenders, who will have to adapt detection and mitigation to environments where carrier‑level content inspection is reduced. Teams that previously relied on operator inspection will need to account for opaque message contents when assessing risk.
- Carriers and operators: Availability is explicitly dependent on carrier activation, and the new E2EE model reduces the efficacy of network‑level content filtering. Carriers will need to balance activation choices with their operational needs for traffic inspection.
- End users: Encryption is enabled by default and encrypted threads will be marked with a lock icon; Apple has also confirmed the wider rollout to iPadOS, macOS and watchOS will follow in future software updates.
The deployment represents a technical milestone — an industry standard (GMSA RCS Universal Profile 3.0) applying a modern group‑messaging security protocol (MLS) across competing client ecosystems. It also embodies a familiar trade‑off: stronger privacy in transit versus reduced visibility for network defenders and filters, while social‑engineering and impersonation threats remain active at the endpoints. How quickly carriers activate the feature and how broadly the platform expansions (iPadOS, macOS, watchOS) are adopted will determine how widely the new protection takes hold.




