We’re all familiar with SMS messaging. Texting (as it’s colloquially called), has been around for over 25 years now. But there’s an inherent problem with SMS. It’s not encrypted. Through no fault of the designers of SMS either.
The specification is clearly meant to be simple. SMS files are literally just text files. The encrypted transmission of these texts are optional for the carrier. Unsurprisingly, I can’t find a single carrier that sends SMS messages over an encrypted protocol by default.
Let's talk (more) about SMS
This means that if you send SMS messages, you’re sending them through the GSM network, via your service carrier. You can tell if you’re sending SMS as it is typically denoted on iOS devices by the infamous green text bubbles, and on Android devices they’re sent as SMS by default. They’re subject to interception, spoofing, man-in-the-middle attacks and surveillance. Not a win for privacy rights.
SMS, as used on modern devices, originated from radio telegraphy in radio memo pagers that used standardized phone protocols. These were defined in 1985 as part of the Global System for Mobile Communications (GSM) series of standards. The protocols allowed users to send and receive messages of up to 160 alpha-numeric characters to and from GSM mobiles. Although most SMS messages are mobile-to-mobile text messages, support for the service has expanded to include other mobile technologies, such as ANSI CDMA networks and Digital AMPS.
Let's talk about iMessage
iMessage is (and I’m not being hyperbolic here), is a completely different animal. SMS and iMessage are cut from the same cloth in the fact that they are messaging services. But the similarities end there.
The iMessage protocol is based on the Apple Push Notification Service (APNs)—a proprietary, binary protocol. It sets up a Keep-Alive connection with the Apple servers. Every connection has its own unique code, which acts as an identifier for the route that should be used to send a message to a specific device. The connection is encrypted with TLS using a client-side certificate, that is requested by the device on the activation of iMessage.
That’s right, every single iMessage sent and received (that includes everything from photo attachments to Animoji) goes through Apple’s servers first, and uses end-to-end encryption ensuring that only the sender and the receiver can de-encrypt messages. Which means, if an intercept takestephen.news, the would-be-attacker would now be in possession of a unusable soup of characters. Kind of like this:
Without the client-side certificate, your would-be attacker is now shit-out-of-luck. Definitely a win for privacy rights.
Let's talk about Chat™️… from Google?
That’s right. I’m not talking about Allo, or Google Chat, or Google Hangouts — I’m talking about Chat. It’s not a new app from Google, nor is a protocol. Confused? You should be. This thing is a fucking mess. Chat is the alias for a carrier-based service (remember, like how GSM is a carrier-based service) called RCS. RCS (Rich Communication Services) is an acronym, who’s sole existence is meant to differentiate itself from the service it wants to supersede.
Instead of sending messages via GSM (or directly through your service provider), they’re sent over the internet (similar to iMessage), but no encryption out of the box. That means if we’re both on the same Wi-Fi at Starbucks, your messages are now subject to interception and surveillance.
To make matters worse, Google is actively working with carriers to make this the elevated standard protocol for devices going forward. Which means that your carrier can now surveil your messages. You’ver cell phone carrier — you know the one who doesn’t care about #NetNeutrality.
But remember, Chat is a carrier-based service, not a Google service. It’s just “Chat,” not “Google Chat.” In a sign of its strategic importance to Google, the company has spearheaded development on the new standard, so that every carrier’s Chat services will be interoperable. But, like SMS, Chat won’t be end-to-end encrypted, and it will follow the same legal intercept standards. In other words: it won’t be as secure as iMessage or Signal.
Google is essentially giving up on creating a competing chat service comparable to Signal, iMessage, and WhatsApp. If you’re an Android user, there’s no shortage of messaging options available, sure — but RCS is a loss for everyone. Why? Because if I’m an iOS user, and I message a Chat user, now we’re both at risk.
Not a win for privacy rights.