The desktop app is great, but Android Messages still aren’t encrypted
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The desktop app is great, but Android Messages still aren’t encrypted

It seems odd Google has been so bullish about encrypting websites, but didn’t encrypt its own messenger

Google’s new Android Messenger is now out for desktop. The move puts Google in direct competition with Apple’s iMessage service and Facebook’s WhatsApp. It will undoubtedly be used by millions of Chrome/Android users. There’s just one problem: it’s not encrypted.

That’s a problem because nowadays, consumers expect their messaging to be secure. And many services offer that. Why Google is pushing a messaging technology that doesn’t is curious.

Let’s hash it out a little.

Google is trying to replace SMS with RCS

SMS stands for Short Message Service, and much like HTTP it has served its purpose but lacks the security to continue being the default protocol. To replace SMS, Google is pushing something called Rich Communication Services or RCS. RCS offers myriad advantages over SMS, it supports read receipts, full resolution photos and videos, group texts and a whole lot more. What it doesn’t offer is end-to-end encryption.

Now, it’s worth noting that Chat, which will eventually replace Messages, is not actually a Google service, though Google did help create it. Most of the major cell carriers and Android phone makers have already signed on, too.

But the question still remains: why was there no push for end-to-end encryption?

Here’s a guess: money.

‘We don’t believe in forcing the issue… sometimes’

Most cell phone carriers loathe chat clients like iMessage owing to the fact that they don’t make any money from them. That’s because the messages are sent via the internet as opposed to across their networks, so there’s no way to tax them.

Google’s Anil Sabharwal, the one overseeing the Android Messages/Chat project explains Google’s decision not to mandate end-to-end encryption like this:

We can’t do it without these [carrier and OEM] partners. We don’t believe in taking the approach that Apple does. We are fundamentally an open ecosystem. We believe in working with partners. We believe in working with our OEMs to be able to deliver a great experience.

This is a pretty stark contrast from the way Google has handled the mass migration of websites from HTTP to HTTPS. While it’s not a true 1:1 comparison, that doesn’t mean it’s not worth considering.

This was the driving logic behind requiring all websites to install SSL certificates and move to HTTPS:

We all need data communication on the web to be secure (private, authenticated, untampered).

That’s fair, and we happen to agree. It just seems like Google should care as much about data communication being secure when we’re chatting as when we’re browsing. If anything, the content of our messages can sometimes be even more sensitive than the personal data that might be stolen over an HTTP connection.

There’s a dissonance in the messaging here and it’s a little bit troubling

Now, before you say anything, I know that Google was not the party that originally designed RCS messaging. In fact, it was mentioned just two sections ago. RCS has been around in some form or another since 2007. But it looked like it was going no where until Google revived it.

Here’s the thing, Google may not be the one that designed the standard, but Google is an economic kingmaker and has the power to elevate ideas to the point where others are almost forced to adopt them. Google could have very easily made end-to-end encryption a priority when it decided to overhaul its messaging client. And based on the messaging around the HTTPS mandate, it seems logical Google would have favored end-to-end encryption.

So why push a messaging technology that isn’t encrypted by default? You know, like you’re asking literally the entire internet to be by July?

We’re not alone in our criticism, Joe Westby of Amnesty International’s International Technology and Human Rights division, excoriated Google in a press release:

“With its baffling decision to launch a messaging service without end-to-end encryption, Google has shown utter contempt for the privacy of Android users and handed a precious gift to cybercriminals and government spies alike, allowing them easy access to the content of Android users’ communications.”

I might tell Joe to switch to decaf, but his overriding point is sound. It’s hard to say Google is a major proponent of privacy and a more secure internet when it’s actively pushing a messaging technology without encryption towards ubiquity.

Unless of course, as a cynic might point out, Google’s encryption efforts are also just a cash grab.

For now, we’ll go with a more optimistic outlook on Google and take it at its word. Even if those words sometimes seem to contradict themselves.

And for Android users, if you’re interested in protecting the contents of your messages with encryption, use a third-party app like WhatsApp or Signal.

2 comments
  • Well, at this moment the only app both desktop and mobile which is quite good secured is usecrypt.
    I mean, it’s fresh so I have no idea how good they are, but at least they are not in the spotlight of FSB like Telegram and not owned by a gigantic corporation like android messages or Facebook.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.