Apple and Google Enable End-to-End Encryption for RCS - A First in Messaging History
For the first time ever, text messages exchanged between iPhone and Android devices are protected by end-to-end encryption (E2EE). Apple and Google announced the rollout of the Messaging Layer Security (MLS) protocol over RCS 3.0, making cross-platform encrypted messaging a default feature for billions of users - no third-party app required.
What Changed and Why It Matters
Before this update, messages sent between iOS and Android fell back to standard SMS or basic RCS - both completely unprotected. Anyone with the right tools - an intelligence agency, a law enforcement body, a rogue telecom employee, or a sophisticated attacker - could intercept these messages in plaintext. Billions of cross-platform text conversations happened in the open every day.
MLS (RFC 9420), ratified by the IETF in 2023, is the same cryptographic standard already powering encryption in platforms like Cisco Webex. Unlike the Signal Protocol (used by WhatsApp and iMessage on Apple-only threads), MLS is designed from the ground up for large-scale interoperability - meaning it can work across apps and operating systems without a central server holding the keys.
With this update, when an iPhone user texts an Android user via the default Messages or iMessage interface, the conversation is end-to-end encrypted by default. Neither Apple, Google, nor the carrier can read those messages.
What Intelligence Agencies Actually Lose
Cross-platform SMS and RCS have long been a primary target for mass surveillance programs. Documents leaked by Edward Snowden showed that American and British intelligence agencies collected SMS traffic at scale from carrier networks. Domestic law enforcement in the US, EU, and elsewhere routinely obtained bulk SMS records through legal process - or simply bought them from data brokers.
That particular channel is now closed. Intelligence agencies can still target individual devices through malware (see: NSO Group's Pegasus), compel app stores to deliver backdoored updates, or use other vectors. But passive, bulk interception of cross-platform text traffic is no longer possible in the same way.
Law enforcement lobbying groups have already begun pushing for mandatory backdoors in MLS. Canada's Bill C-22 - which proposed mandatory metadata retention and backdoors for encrypted messaging - caused Signal to announce it would leave the Canadian market if passed. In Europe, the Chat Control proposal would require platforms to scan all messages server-side before encryption. If Apple and Google are compelled to implement scanning at the device level before encryption, the privacy gain is erased.
What RCS 3.0 Does Not Protect
E2EE encrypts message content in transit. It does not protect:
- Metadata - who you texted, when, how often, and from which IP address. This data remains visible to carriers and platform operators.
- Backups - if you back up your messages to iCloud or Google Drive without enabling end-to-end encrypted backups, those stored messages can be accessed under legal process.
- Device access - if law enforcement seizes your phone and unlocks it, messages on the device are readable.
- Screenshot exfiltration - there is no protection against the recipient sharing your messages.
For users in high-risk environments - journalists, activists, dissidents, lawyers - dedicated encrypted messengers like Signal remain the stronger choice. Signal's disappearing messages, sealed sender, and zero-metadata architecture go significantly further than what RCS 3.0 offers. The contrast is stark: while Apple and Google are adding encryption, other platforms have been moving in the opposite direction. But for the average user who will never install a dedicated privacy app, default E2EE on the native texting interface is a meaningful improvement.
Why VPN Users Should Care
VPN users tend to think in layers. A VPN encrypts your traffic between your device and the VPN server - protecting you from ISP-level surveillance and man-in-the-middle attacks on public networks. But until now, the actual content of your text messages traveled outside that protected layer entirely, visible to carriers regardless of whether your VPN was on.
RCS E2EE and a VPN are complementary protections that cover different threat vectors. One secures the content of messages from endpoint to endpoint. The other secures your network traffic from ISP and network-level observers. Using both together closes two separate gaps in your privacy posture.
Timeline and Availability
The MLS rollout began on May 11, 2026. Apple confirmed the feature is active in iOS 18.5 and later; Google confirmed it is enabled by default in Google Messages on Android. Users do not need to take any action - encryption activates automatically when both parties have compatible software versions.
Older devices running earlier iOS or Android versions will fall back to unencrypted RCS or SMS. Check your iOS or Android version if you want to confirm you are covered.
