Table of Contents:
Note: This post reflects the rollout as of June 2026 and will be updated as support expands. It’s a lot more technical than our other posts, so if you’d like a simplified version of this content, check out our other blog post “Is RCS for Business Messaging Secure? What Brands Need to Know in 2026.”
In 2026, end-to-end encryption arrived for cross-platform RCS between iPhone and Android, built on the GSMA Universal Profile and the MLS protocol (the governing bodies behind these sorts of things). It protects message content in transit between devices. Metadata stays outside that encryption, and business (A2P) messages aren't covered by it yet.
Note: This post reflects the rollout as of June 2026 and will be updated as support expands.
End-to-end encryption is the headline people have waited years for, but the detail matters, especially the line between personal chats and business messaging. Here's what's actually encrypted, how it works, and what a brand sending RCS should take from it.
What is RCS end-to-end encryption?
End-to-end encryption (E2EE) means a message is scrambled on the sender's device and can only be unscrambled on the recipient's device. No intermediary in between — not the carrier, not the messaging platform — can read the content along the way.
That's a step beyond encryption in transit, which protects a message as it travels but allows authorized systems to access it at points along the route. Both protect against interception; E2EE simply keeps the keys on the devices themselves.
When did it launch?
The capability was standardized in the GSMA's Universal Profile 3.0 in 2025. The milestone most people noticed came in 2026, when cross-platform encryption between iPhone and Android started rolling out in beta. The first time an encrypted RCS message could pass between the two platforms.
Availability is still expanding. As it stands, it depends on device software and carrier support, so not every conversation is encrypted yet even between two people whose phones technically support it.
How does it work?
RCS encryption is built on MLS (Messaging Layer Security), the same modern standard trusted secure messaging apps use. The mechanics are worth knowing because they explain why this took so long to arrive cross-platform:
- Your device generates an encryption key, so a message is encrypted before it ever leaves the phone.
- The encrypted message travels through carrier and server infrastructure, where no one can read its contents.
- Only the recipient's device holds the key to decrypt it.
Because the keys live on the devices rather than in the cloud, Apple and Google don't have to trust each other's servers for it to work — which is what made a shared standard possible.
Does end-to-end encryption apply to business messaging?
This is the part brands need to be clear on: not fully yet (as of 7/23/2026).
End-to-end encryption currently covers person-to-person conversations. Business-to-person (A2P) messages — the offers, reminders, alerts, and passcodes your brand sends — are encrypted in transit but are not end-to-end encrypted. The primary trust mechanism for business messaging is the verified sender, which confirms the message genuinely came from you. (More on RCS security for business.)
There's a practical reason for the gap. Business messages route through platforms, carriers, and systems that handle high volume, cross-carrier delivery, and automatic fallback to SMS — and some of that requires authorized systems to process the message. True end-to-end encryption for high-volume business messaging is still evolving.
What's protected and what isn't
What you're sending
Encryption today
Person-to-person chat (supported devices and carriers)
End-to-end encrypted
Business-to-person message (offers, alerts, passcodes)
Encrypted in transit, not end-to-end
Message metadata (who messaged whom, when, how often)
Not encrypted
That metadata line is the one most often overlooked. Even where content is end-to-end encrypted, the record of who communicated and when sits outside the protection. The message itself will be.
What this means for brands sending RCS today
Three takeaways:
- Lead with verified identity, not encryption claims. For business messaging, the verified sender is what builds trust and stops impersonation — and it's available now.
- Mind the fallback. Because RCS can fall back to SMS on unsupported devices, keep highly sensitive content out of any message that might be delivered as plain text.
- Expect the bar to keep rising. Encryption coverage is widening with each release, and the direction of travel is clear.
🟩 nativeMsg fill-in #2 — product stance (optional): [Add a sentence on how nativeMsg advises clients on secure, consent-based sends today — e.g. verified identity through nativeReach and consent capture through nativeCapture — so readers see the practical answer, not just the standard.]
At nativeMsg, we believe that the security lies within the trust established with the branded sender identity, and the encrypted messages in between. Data transmitted between you and your customers will be safe and secure.
Want to see what verified, secure RCS looks like from the customer's eyes? Check out our interactive guide.
Frequently asked questions
Is RCS end-to-end encrypted now? Person-to-person RCS can be end-to-end encrypted, including across iPhone and Android, where devices and carriers support it as of the 2026 rollout. Business messages are not end-to-end encrypted.
Does encryption work between iPhone and Android? Yes — that cross-platform capability began rolling out in beta in 2026, using the shared MLS standard, on supported software versions and carriers.
Are business RCS messages end-to-end encrypted? No. Business (A2P) messages are encrypted in transit, and the verified sender is the trust mechanism that confirms the brand behind each message.
What does RCS encryption not protect? Message metadata — who messaged whom, when, and how often — falls outside the encryption, even for end-to-end encrypted person-to-person chats. It’s no different from how messages currently operate.