CISA warns against unencrypted messaging

In an echo from this time last year, smartphone users are again being warned against sending unencrypted text messages by the US Cybersecurity and Infrastructure Security Agency (CISA).

Warning in particular against nation-state attacks via messaging services aimed at high-value individuals, the latest updated CISA bulletin should be seen as a warning to us all. “Cyber threat actors are using spyware and other advanced social engineering techniques to target private messaging apps and compromise mobile devices,” the organization said.

Will Apple encrypt RCS in iOS 26.2?

While the security team notes that exploits seem focused on Signal and WhatsApp at the moment, the implication remains that Android and iPhone users should avoid unencrypted text messaging. That means don’t use the standard messaging app on either device, as even the latest Rich Communication Services (RCS) protocol now supported on both platforms doesn’t yet extend to end-to-end encryption, which only came to RCS earlier this year.

Google is testing end-to-end encryption, and Apple has promised to introduce it. “End-to-end encryption is a powerful privacy and security technology that iMessage has supported since the beginning, and now we are pleased to have helped lead a cross industry effort to bring end-to-end encryption to the RCS Universal Profile published by the GSMA,” Apple said. “We will add support for end-to-end encrypted RCS messages to iOS, iPadOS, macOS, and watchOS in future software updates.” 

Right now, the smart money has RCS encryption as a potential addition within iOS 26.2. This makes sense given Apple sees privacy as a human right, and protection of that right demands E2EE in its messaging apps.

CISA says things are dangerous

CISA pulled no punches in the recommendations it made. It warned that potential targets (particularly in military, government, or political positions) should immediately review the security protections they have in place. “Highly targeted individuals should assume that all communications between mobile devices — including government and personal devices — and internet services are at risk of interception or manipulation,” it warns.

What this means is that if you must send messages to others, you should use encrypted messaging platforms such as Signal or WhatsApp. You might also want to protect yourself by preventing use of standard text messaging on your devices. On the iPhone, you can do this in Settings, where in the Messages section you should disable the Send as Text Message option. This will ensure any messages you are able to send are sent securely using iMessage’s E2EE system.

CISA makes some iPhone-specific recommendations. That’s interesting as it reflects how widely used the Apple device has become in government and business, and suggests how febrile the security environment has become. That should be of particular concern to any government, particularly the UK government which may, or may not, have forced Apple to ensure encryption on its devices is deeply weakened. That latter seems a self-harming move in the security environment CISA tells us we’re in.

What does CISA suggest for iPhones?

CISA warns that iPhone users from the highly targeted groups should enable Lockdown Mode, use iCloud Private Relay, or rely on encrypted DNS services from providers such as Cloudflare, Google, or Quad9. It also suggests regular review of app permissions in Settings>Privacy & Security, revoking these if an app doesn’t really need such functionality. 

What does CISA suggest for Android?

CISA’s Android advice is to use RCS if end-to-end encryption is enabled, use Private DNS/encrypted DNS services, and ensure the highest security settings are in place on Chrome and Google Play Protect. 

CISA recommends Android users “prioritize models from manufacturers with strong security track records.” That means only using devices from manufacturers with a good reputation for timely security updates and a commitment to long-term security support.

The agency also has some good advice for those who use Signal or WhatsApp to help secure their communications. Among other suggestions, it warns people not to scan group invites or QR codes from unknown sources, and to verify the authenticity of any group invitations by contacting the group administrator initially. It also advises people to review the devices included in the linked devices section in message application settings. Finally, it recommends the use of FIDO authentication to help secure the device and the messaging service, and to “migrate away” from SMS-based MFA systems.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.