On Monday morning, Google announced it had teamed up with a slew of telecom operators to back a new uniform messaging system for Android phones. Text messaging on Androids will soon have many of the nifty features — rich photos and videos, group chats and so on — that iPhones and popular messaging apps have.
The move is part of Google’s mobile strategy to keep users from flocking to Apple and Facebook, owner of two popular messaging apps.
But it’s also a reminder of the thorny, complicated world in which Android operates when it comes to security.
That’s because of the system’s backbone. It’s a spruced-up SMS platform called Rich Communications Services, designed by a consortium of carriers aiming to provide an alternative to immensely popular over-the-top messaging apps like Facebook’s WhatsApp. Several security experts have pointed out that the system’s privacy infrastructure is weaker than that of rivals with closed systems, making it vulnerable to malicious attacks or government access.
“It’s pretty primitive,” said Philip Lieberman, president and CEO of security firm Lieberman Software. “You try to connect one carrier to another carrier, you end up degrading to the worst encryption of the pair.”
A key feature of RCS is the ability to send consistent messages across all operators worldwide. But it’s designed, according to experts, to default to the least fortified carrier security system, since many operators are tightly regulated (or in some cases run by) national governments.
“It’s designed with surveillance as a primary feature,” said Christopher Soghoian, an ACLU privacy researcher.
This issue is, of course, timely given the high-profile standoff between Apple and U.S. authorities over encrypted iPhone data. GSMA, a global telco group that runs Mobile World Congress, is behind RCS. In its technical specifications for RCS, GSMA wrote that its text messaging feature should be built to “allow compliance with legal interception procedures.”
Representatives from GSMA did not return requests for comment.
To be clear, Google isn’t behind the RCS security system; the carriers are. Google just announced that it will support the platform on Android.
Yet the RCS security system looks to be softer than Google’s ideal — the full encryption found on a select few Android devices, which, Google claims, keeps users’ information even from Google. (Hangouts, Google’s current chat product, is encrypted like Gmail; it passes through Google’s servers and the company can, theoretically, hand it over.) Still, the issue underscores the company’s nagging issue with Android: Unlike Apple, Google has to rely on a dizzying array of carrier and hardware partners for the devices and their security.
The new messaging initiative is the fruit of Google’s acquisition of the mobile startup Jibe in September. It falls under the search giant’s muddled Communications division, which is also trying to reinvigorate Hangouts. Google is not saying if the RCS capability will be integrated into Hangouts, its native Android messaging app or an altogether new one.
“Today marks an important step forward in bringing a better messaging experience for Android users everywhere,” Nick Fox, Google’s Communications chief, said in a statement.
Soghoian, who raised the security flaws in RCS on Twitter, admitted that the RCS system was not Google’s responsibility, but critiqued the search giant for tying up with it.
“Is this better than SMS? Probably,” he said. But, he added, “the tech industry can deliver a lot more in 2016.”
Update: A GSMA sends over this statement: “RCS is a consumer communications service that has a high level of security against malicious attack. However, RCS is an Operator Service and as such is required to comply with national regulations.”
This article originally appeared on Recode.net.