TL;DR:
As of May 11, 2026, RCS messages between iPhone and Android can be end-to-end encrypted for the first time. The feature launched in beta with iOS 26.5 and the latest Google Messages, built on GSMA Universal Profile 3.0 and the MLS protocol. Three conditions must all be true: the right iOS version, the right Google Messages build, and carrier support on both ends. Encrypted chats show a lock icon and encryption is on by default where supported. For business messaging (A2P), E2EE doesn’t apply. Security there runs through verified Brand Agent identity, not message encryption.
“RCS is already encrypted” is half true, and that half-truth has confused users for years. Transport encryption isn’t end-to-end encryption. Here’s what actually changed in May 2026, and why the distinction matters more than most coverage lets on.
For years, texting between iPhone and Android meant a green bubble and no end-to-end protection. Everyone knew the gap existed. In May 2026, Apple and Google closed it. But the rollout comes with three conditions most articles skip over, and there’s a broader wave of messaging security changes landing at the same time in Android 17.
💡 This article covers the RCS encryption launch, what it actually protects, and what it means for brands running RCS campaigns. For a full primer on the channel itself, start with our complete guide to RCS messaging.
Cross-Platform RCS Encryption: What Changed and What Hasn’t
On May 11, 2026, Apple and Google announced the beta launch of cross-platform end-to-end encrypted RCS. It’s the first time iPhone and Android users can exchange messages that no one in the middle can read, including Apple, Google, and carriers.
This didn’t happen overnight.
- Google first enabled E2EE for Android-to-Android RCS in Google Messages back in November 2020.
- The GSMA then published RCS Universal Profile 3.0 in March 2025, the first version of the RCS spec to formally define E2EE using the Messaging Layer Security (MLS) protocol.
- Apple’s RCS support in iOS 18 in 2024 set the stage. The May 2026 beta is the cross-platform payoff.
Beyond encryption, UP 3.0 also brings cross-platform message editing, deleting, Tapbacks, and inline replies, closing more of the gap between RCS and iMessage.
Three conditions for encrypted chats
E2EE for RCS isn’t automatic for everyone. All three of these must be true simultaneously:
- iOS 26.5 or later on the iPhone side
- Latest Google Messages build on the Android side
- RCS Universal Profile 3.0 carrier support on both ends of the conversation
The third condition is what decides everything. Up-to-date software on both sides isn’t enough if the carrier hasn’t deployed UP 3.0. That’s why rollout will vary by country and network.
Encryption is on by default where all conditions are met. Apple says it will be automatically enabled over time for new and existing RCS conversations as carrier adoption expands.
How to spot an encrypted chat
Look for the lock icon. In Google Messages, a lock appears next to chat bubbles in an encrypted conversation. On iPhone, the compose field shows “Text Message · RCS · Encrypted” with a lock icon. No lock means one side’s device, app version, or carrier doesn’t support encrypted RCS yet.
“Encrypted” Doesn’t Mean One Thing: TLS vs. E2EE
This is the confusion that has a Reddit thread ranking on page one of Google. Let’s clear it up.
Transport Layer Security (TLS) encrypts a message while it travels between your device and the server. It blocks outside interception. But the service provider, whether that’s the carrier, Apple, or Google, can still read the message on their end. This is how all RCS messages have worked until now.
End-to-end encryption (E2EE) works differently. The message is encrypted on the sender’s device and can only be decrypted on the recipient’s device. No one in between, including the platform, the carrier, or any government agency making a server-level request, can read the content.
For years, “RCS is encrypted” meant TLS only. That’s worth knowing if you’re seriously evaluating how secure RCS actually is.
| Messaging type | Encrypted in transit | Provider can read | E2EE |
|---|---|---|---|
| SMS | No | Yes | No |
| RCS (TLS only) | Yes | Yes | No |
| RCS (E2EE, UP 3.0) | Yes | No | Yes |
| iMessage | Yes | No | Yes |
What E2EE doesn’t protect
E2EE solves one specific problem: no one on the route between sender and recipient can read your message. It doesn’t solve everything else.
The EFF notes that metadata (who you messaged, when, how often) can still be collected even in E2EE conversations. Unencrypted cloud backups remain a gap. E2EE doesn’t protect against device compromise or screenshots. It secures the channel, not the device and not the account.
Your Contact Base and Encrypted RCS: Who Gets What
Coverage varies significantly by market. Here’s the realistic picture for brands managing mixed iOS/Android audiences.
Android-to-Android RCS in Google Messages has been E2EE-protected since 2020. iPhone-to-iPhone goes through iMessage, which has had E2EE for years. The new piece is iPhone-to-Android, and that depends entirely on carrier support for UP 3.0 on both ends.
| Scenario | Status as of June 2026 |
|---|---|
| Android to Android (Google Messages) | E2EE since 2020 |
| iPhone to iPhone (iMessage) | E2EE via Apple’s protocol |
| iPhone to Android (cross-platform RCS) | Beta, requires carrier UP 3.0 support on both sides |
For campaigns reaching mixed bases, this matters. In markets where no carrier has deployed RCS on iPhone yet, the cross-platform E2EE feature simply isn’t active yet.
💡 In MessageFlow, every send to a mixed base hits a certain number of your contacts via RCS on Android (depending on the market and carrier mix). Everyone else, including all iPhone users in markets without carrier support, receives the message via SMS fallback. You pay for the channel that actually delivered, not the attempt.
Android 17: The Other Messaging-Security Upgrades
The E2EE launch didn’t arrive alone. Google’s Android Security Blog detailed several new messaging-security features shipping with Android 17. Together they represent the most significant upgrade to Android messaging security in years.
OTP code protection
Android now auto-hides one-time password codes from most apps for three hours after they arrive. This closes a common attack vector where malicious apps read OTP codes from your notification tray before you use them.
Live Threat Detection
The system now warns users about SMS-forwarding apps and accessibility overlays, two tools frequently used in fraud and scam campaigns. Dynamic signal monitoring, which adds real-time behavioral analysis, is scheduled to roll out in H2 2026.
Verified financial calls
Spoofed banking calls account for an estimated $980 million in annual losses worldwide. Android 17 launches verified call channels with financial partners including Revolut, Itaú, and Nubank, with more to follow later in 2026.
2G off by default
Android 17 ships with 2G connectivity disabled by default (configurable by carriers), removing a longstanding attack surface used by IMSI catchers and SS7 exploits.
The direction is clear: Android is treating SMS and RCS as an active attack surface, not just a delivery channel, and closing it at the system level.
Brand Campaigns and E2EE: Why the Brand Agent Matters More Than Encryption
One clarification that matters if you run RCS campaigns: E2EE covers person-to-person (P2P) conversations only. Application-to-person (A2P) messaging, meaning brand campaigns, OTP messages, and transactional notifications, is not end-to-end encrypted and won’t be under UP 3.0.
That’s not a gap to worry about. The security model for RCS for Business runs on verified Brand Agent sender verification. Brand Agent confirms brand identity at the sender level and eliminates the impersonation risk that has made SMS phishing so persistent. It’s a different layer of trust, built for the broadcast nature of A2P. E2EE and Brand Agent solve different problems.
What the E2EE launch does do for brands is raise the overall perception of RCS as a secure channel. When consumers see the lock icon in personal chats, their trust in the whole RCS experience rises, including the branded messages they receive.
At MessageFlow, that shows up in the numbers: average open rates on RCS campaigns run at 70%, CTR reaches 9%, and over 79,000 brands use the platform. That’s not accidental. It’s what happens when recipients start trusting the channel.
💡 With the RCS active user base projected to reach 3.8 billion by end of 2026, roughly 40% of all mobile subscribers, and global RCS for Business operator revenue on track to grow from $2 billion this year to $6.5 billion by 2030 according to Juniper Research, the channel is accelerating. Check the latest RCS statistics for the full picture.
For a deeper look at running campaigns on the channel, explore MessageFlow RCS to see how it performs for businesses in your vertical.
RCS End-to-End Encryption: What to Do Now
The cross-platform RCS E2EE launch is a milestone, but it’s a rolling beta with a carrier dependency. Here’s a realistic read on the timeline:
- Now: Users on iOS 26.5 with a supported carrier can see encrypted chats in Google Messages and Apple Messages today.
- Next few months: Carrier UP 3.0 adoption expands; more users get the lock icon without doing anything.
- Later in 2026: Android 17’s dynamic signal monitoring goes live; verified financial calls expand to more partners; E2EE exits beta.
For brands, the action item is straightforward: if you’re not already on RCS Business Messaging, the window to get ahead of the channel is now. The consumer E2EE launch signals that Apple and Google are committed to the channel for the long term.
Ready to launch verified RCS campaigns for your brand? Explore MessageFlow RCS and see how the channel performs for businesses like yours.
Frequently Asked Questions about RCS End-to-End Encryption
Partly, and it depends on the conversation. All RCS messages are encrypted in transit with TLS. End-to-end encryption, where only sender and recipient can read the content, has covered Android-to-Android chats in Google Messages since 2020 and, since May 2026, is rolling out in beta for iPhone-Android conversations on iOS 26.5 with supported carriers.
On May 11, 2026, in beta. The requirements are iOS 26.5 on the iPhone, the latest Google Messages on Android, and carriers on both ends supporting RCS Universal Profile 3.0. Encryption is on by default where all conditions are met, and encrypted chats display a lock icon.
Transport encryption (TLS) protects a message on its way between your device and the server, but the service provider can still read the content. End-to-end encryption (E2EE) secures the message from the sender’s device to the recipient’s device only. No one in between, including carriers, Apple, or Google, can access the content.
Look for the lock icon. In Google Messages it appears next to chat bubbles. On iPhone the compose field shows “Text Message · RCS · Encrypted” with a lock. If you don’t see it, one side’s device, app version, or carrier doesn’t yet support encrypted RCS. You can check how to turn RCS on or off if you need to troubleshoot your settings.
No. E2EE covers person-to-person chats only. RCS for Business (A2P) campaigns use a different security model: the verified Brand Agent, which confirms sender identity and eliminates the impersonation risk that has made SMS fraud so widespread.
