Apple has a new serious problem

Apple has a new serious problem

Apple jobs Tim Cook iPhone Intel

It’s that time of year, when news outlets predict what Apple has in stall for its billion-plus iPhone users in the fall (1,2), when it releases iPhone 16 and iOS 18. But Apple now has a serious problem on its hands, one that threatens a major rethink ahead of those 2024 updates.

Timing is everything. And the issue here stems from two seemingly unrelated events, but which in combination could damage one of the central pillars holding up the three-trillion-dollar walled garden around Apple’s billion-plus iPhone users. We’re talking iMessage, the enabler of the blue-bubble/green-bubble social hierarchy that tells everyone just how much you’re prepared to spend on a smartphone, and whether you’re on an iPhone or you’re not.



That social differentiator has never been under more pressure than now. You’ll have seen the recent back and forth over upstart Beeper Mini, which took on Apple in an attempt to open iMessage up to Android users, and lost. But in doing so, Beeper forced Apple’s hand into closing down each and every one of its workarounds, exciting interest from lawmakers and regulators in the process.

“We are concerned,” a congressional group petitioned the DOJ last month, “that Apple’s recent actions to disable Beeper Mini harm competition, eliminate choices for consumers, and will discourage future innovation and investment in interoperable messaging services.”

Talking of which and entirely coincidentally, just before Beeper Mini emerged, Apple announced an iMessage u-turn, finally agreeing to adopt the new mobile industry messaging standard, RCS, alongside iMessage in some form. RCS provides a modern alternative to SMS, one that offers more user features, especially around media, and provides the basic level of security SMS is missing.

Apple has said that RCS will come to iPhone this year, which analysts read to mean alongside the fall iPhone and iOS releases. Apple has also said that RCS will run in parallel with iMessage, meaning no full-scale integration. And so, whereas now iMessage users see SMS messages differently within the app, we can assume they’ll see RCS messages presented similarly to SMS after the update.



But Apple will be under scrutiny as to the level of this integration—that’s the net result of those seemingly unrelated events, Beeper Mini highlighted the issue, RCS seems to offer some form of expedient solution. And Apple’s first challenge will be appearing to take RCS integration seriously, and not just adding RCS green/purple/yellow bubbles to the “I have an iPhone” blue alternatives.

Which brings us to the much more serious challenge for Apple and its adoption of RCS, and one that should be a major consideration for how it architects its initial RCS update in the fall.

While RCS is more secure than SMS, it is not end-to-end encrypted. And it’s this end-to-end encryption that sets messaging platform apart from one another. It’s this security that Apple lauds when it says “end-to-end encryption protects your iMessage conversations across all your devices—your messages are encrypted on your device so they can’t be accessed without your passcode,” and which is central to WhatsApp’s advertising and has even now been adopted by Facebook Messenger.

A few years ago, Apple could have adopted RCS as an SMS upgrade into iMessage taking the same approach as SMS, and there would have been no complaints. RCS at that time was a patchwork quilt sitting somewhere between the carriers, equipment manufacturers and Google. Apple’s problem, though, is that Google has taken charge of RCS since then, seeking to create an iMessage lookalike. And that now includes end-to-end encryption by default—just like iMessage.



A few years ago, Apple could have adopted RCS as an SMS upgrade into iMessage taking the same approach as SMS, and there would have been no complaints. RCS at that time was a patchwork quilt sitting somewhere between the carriers, equipment manufacturers and Google. Apple’s problem, though, is that Google has taken charge of RCS since then, seeking to create an iMessage lookalike. And that now includes end-to-end encryption by default—just like iMessage.

This has not changed the RCS protocol itself, but has introduced a secure endpoint—Google Messages—that encrypts traffic before it’s sent. The end-to-end encryption only applies where senders and recipients all use Google Messages, but it has combined RCS and end-to-end encryption for the first time. And that has created significant confusion that will be a major issue for Apple in the fall.

“Green bubble texts are less secure,” Senator Elizabeth Warren complained during the Beeper Mini fiasco. “So why would Apple block a new app allowing Android users to chat with iPhone users on iMessage… chatting between different platforms should be easy and secure.”

Yes, RCS is more secure than SMS, but that’s not what Senator Warren meant. Beeper Mini was designed to “implement Apple’s end-to-end encryption protocol natively within the Android app itself. All messages are end-to-end encrypted before they are transmitted.”



And so, Apple’s part deployment of RCS will fall woefully short of Beeper Mini if the status quo of there being no cross-platform, end-to-end encrypted messaging solution remains. Especially because there is general confusion across users and even analysts as to what all this means.

If you read some of the commentary that followed Apple’s RCS announcement or has been published since, you’ll see analysts suggesting that the security of end-to-end encryption is finally coming to stock iPhone-to-Android messaging. Absent a major change by Apple, that’s not true.

There is no end-to-end encrypted messaging available today to link different developers’ endpoints. The encryption/decryption sits within the apps on devices. WhatsApp users securely message one another, Signal users and now Facebook Messenger users do the same. But you cannot message between those platforms. Which is why the security vulnerability for end-to-end encrypted messaging is always on the device—compromise the device and you can pretty much access everything.

But we have now reached a pivot point—which is why 2024 and Apple’s fall releases are so important. Google Messages and iMessage have replaced the SMS clients on most smartphones outside China. Cross-platform communications is built-in, but relies on that same old SMS technology. In adding end-to-end encryption, Google Messages has just created an Android version of iMessage. It only works securely within its own walled garden, notwithstanding the standard RCS protocol within.



This presents a very simple but very stark conundrum. Apple—and Google—can’t have it both ways. Either end-to-end encryption is critical, as they both claim, which is how they push their platforms, or it is not. If it is critical, then users should shift to platforms like WhatsApp or Signal to encrypt all their messages. It cannot be that full encryption falls away once you step outside an ecosystem.

Neither Apple nor Google can launch end-to-end encrypted cross-platform RCS on their own. As the Beeper Mini episode exposed, if you breach the wall in someone else’s house, you can expect to have that bricked-up quickly and repeatedly. You need both sides to work together.

Ideally but unrealistically, there would be a cross-industry end-to-end encryption protocol added to RCS, that all developers could adopt and which would manage the security risks inherent in expanding such levels of encryption outside a walled garden. Apple seems to have pointed itself in this direction, intimating that it will work with the GSMA to enhance RCS. But you can imagine the time such a shift will take—if ever; just look at the painfully long and drawn out base RCS rollout.

But there doesn’t need to be an industry-wide change, notwithstanding regulatory pressure to message between different platforms off all shapes and sizes, opening up so-called gatekeepers. WhatsApp users messaging Signal users is a level of complexity that isn’t needed. If small messaging platforms are to be given access to the hyper-scale ones, then the security risks in trying to do so within an end-to-end encrypted architecture outweigh the benefits. Every endpoint is a vulnerability. So all an attacker would need to do is compromise a small platform to attack a larger one.



All that is needed is for Apple and Google to work together. A shared end-to-end encryption protocol built over RCS, even if that runs in parallel to iMessage’s own, would solve 90% of the problem. Google is standardizing on Google Messages across Android and end-to-end encrypting by default. The time is ideal for such a move. And for those who argue this cannot be done, think back to covid tracking and the shared lead Apple and Google took in resolving the cross-platform challenge.

Absent such collaboration, the iOS/Android user base is not well-served by these updates and should switch to an over-the-top platform. But with iMessage so dominant in the U.S., that is unlikely. It’s time for some shared responsibility and for the real gatekeepers to do the right thing.

When details of Apple’s RCS deployment become clear, I see this becoming a major issue alongside whatever color of bubbles become apparent. Apple can’t make a move without Google’s collaboration, we’re essentially talking a linkage between the two stock messengers to take on WhatsApp. It’s in Google’s interests to offer exactly that. Apple will then be in a position when it would need to argue that RCS end-to-end encryption is not in its users’ interests, which it clearly is. Its prior argument that SMS is SMS will have fallen away—RCS can be end-to-end encrypted, in a way SMS cannot.

Device security and vulnerabilities have never been more in focus. Both Apple and Google now offer ramped-up security/lockdown settings for devices to secure users and communications. Again, to be heading in that direction while not fixing cross-platform secure messaging just seems bizarre.



Cue the FTC, which is now watching. “In the face of concerns about anticompetitive conduct,” it posted, “companies may claim privacy and security reasons as justifications for refusing to have their products and services interoperate with other companies’ products and services… the Commission is uniquely situated to evaluate claims of privacy and data security that implicate competition.”

In my view, Apple will find it difficult to water down its RCS implementation under scrutiny while its “pseudo-social monopoly” is being looked into. And the more Apple secures it ecosystem—just look at Contact Key Verification that has just rolled out to enhance iMessage security, the harder it becomes to justify severely restricting the availability of that level of security and privacy.

This year, 2024, marks the tenth anniversary of WhatsApp’s first forays into end-to-end encrypting messages. The security was deployed by default across its platform two years later. And yet, today, cross-platform stock messaging still relies on SMS. Let’s think that through.

Mark Zuckerberg has described iMessage as “a key linchpin of [Apple’s] ecosystem—which is why iMessage is the most used messaging service in the U.S.” And Apple has faced significant flack in the past for seemingly putting sales before user security and privacy when it comes to families enabling their kids to step outside its OS to message their parents. The 2024 stakes are high.

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest