Google Messages Aren't Always End-to-End Encrypted

Google doesn't have the best track record when it comes to user privacy, but it's getting better. The company's messaging app, Google Messages, now comes pre-installed on most new Android devices and advertises its conversations as end-to-end encrypted. Based on the way Google publicizes its app, you might think using it means all your chats with friends, family, and colleagues are protected. But they're not.

Some Google Messages chats are end-to-end encrypted

It's not that Google is outright lying here. Under the right circumstances, your conversations through Google Messages are end-to-end encrypted—which means only you and the other members of the chat can read the contents of sent messages.

This is made possible through a messaging protocol called RCS (Rich Communication Services). RCS has many perks over the outdated SMS messaging protocol (typing indicators, high-res photo and video sharing, better support for group chats, etc.), but the key perk for our purposes is end-to-end encryption. When you send an RCS message from your phone to another phone using RCS in a manner that supports end-to-end encryption, that message is "scrambled," and appears unintelligible to anyone who happens to intercept it. To decrypt it, you need access to the "key," which, for messaging, is one of the devices involved in the chat. RCS messages appear dark blue, as opposed to light blue SMS messages.

So, someone with Google Messages sending a messaging to another person also using Google Messages can take advantage of this encryption perk and not worry about their messages being intercepted or otherwise compromised. This happens automatically, too, when both parties support encryption: Whenever your chats are end-to-end encrypted, you will see a little lock icon on the send button and next to the timestamp.

However, in all other cases, this encryption is not supported, and, thus, your messages are not protected.

When Google Messages is not end-to-end encrypted

Remember, there are two key components to ensuring that these messages are end-to-end encrypted: The messages must be sent over RCS, and all parties need to be using Google Messages. Unfortunately, there are plenty of situations where one or both of these requirements are not met.

Let's stick to Android for a second. Google Messages may be the default messaging app installed on most new Android devices, but it is far from the only option available—even if Verizon and AT&T have both killed their messaging apps. Let's say you're using Google Messages on your phone, but your friend is using Samsung Messages. Any chats between the two of you are no longer end-to-end encrypted. The same goes if they use the popular Textra SMS app on their end: Anything other than Google Messages, and you no longer have access to end-to-end encrypted messaging when you are using Google Messages yourself.

The same applies when messaging iPhone users. Since iOS 18, iOS supports RCS, which should mean that messaging between Google Messages on Android and Messages on iPhone is encrypted. But no: It's still RCS, but there's no end-to-end encryption. You get the other perks of RCS, like typing bubbles and functioning group chats (thank God), but messages are still insecure.

Google needs to be clearer about how its messaging platform handles encryption

John Gruber of Daring Fireball recently highlighted this issue in a blog post, expressing his frustration with Google over its misleading security claims. Indeed, when you check out the Google Messages Play Store page, the second image in says "Conversations are end-to-end encrypted." Gruber points out that an accurate statement would read "Some conversations are end-to-end encrypted," and how that would naturally lead customers to ask "well, which conversations are those?" Google probably wants to simplify things here, knowing that many Google Messages users will be messaging other Google Messages users with RCS. But the fact that there are so many situations in which that isn't the case means that people are going to assume their messages are encrypted when they are not.

The app description is a little clearer: "Privacy Matters: Rest easy knowing your personal chats are protected with end-to-end encryption between Google Messages users, so no one (including Google and third parties) can read or view your messages and attachments except the person you’re messaging. Plus, enjoy advanced spam protection." But even here, Google doesn't say all participants need to be using RCS, and if they're running an older version of Google Messages, they might not have the option for end-to-end encryption—throwing off the security of the conversation.

That doesn't mean you should ditch Google Messages entirely. Many of your Android friends likely use it, so your chats may already be end-to-end encrypted. And the GSM association, which develops RCS, is working on bringing encryption to RCS on iPhone. However, if you're serious about your privacy, and you have a contact that doesn't support end-to-end encrypted chats through Google Messages for any reason, you both could switch to a platform that supports this encryption natively, like Signal or WhatsApp.