It might be tempting to think that a Virtual Private Network service will help secure standard text messages. It’s a logical assumption, given the marketing from VPN providers. But, are SMS text messages secure?
No. Standard SMS text messages are not secure or private. They are sent in plain text without encryption. Messages are transmitted over a cellular service provider’s call control channel, which was only designed to start voice calls. The 160-character limitation prevents encryption from being practical.
There’s a bit more to understand about the 1990s, old-school SMS text message. Let’s also clarify VPNs, and how to encrypt text messages properly.
A Bit More About SMS Text Messages
What is the difference between a text message and an SMS message?
A text message is a generic term for a short set of text characters, words, or several sentences sent between mobile phones or smartphone applications. An SMS message is a text message sent over the voice channel of the cellular network. SMS messages have a length limitation and are insecure.
Modern text messages sent via smartphone apps or over web-based messengers are more secure and do not typically have length limitations.
How does a text message travel?
Original SMS text messages travel using a portion of the cellular voice network. Several storage servers and transmission devices log, read, and direct the text content between phones. Newer messenger services use the internet to route partially- or fully-encrypted messages between apps on smartphones.
Are SMS Messages Secure?
SMS messages travel across only one or two private cellular networks. The nature of short messaging service texts means they are logged on the hardware owned by mobile service providers. These systems are closed and have limited connectivity to the internet. They are relatively secure but not private.
Mobile users in the last 25 years have out-grown the capabilities of SMS. This technology standard only provides a maximum length of 160 characters in the Latin alphabet. For other alphabets like Chinese, the maximum SMS text message is only 70 characters.
New SMS handling has worked around length limitation by using some of the transmission lengths to help the receiving phone on how to string together multiple messages.
But, new technologies have more than taken the place of the legacy texts and their lack of encryption, making standard SMS unfit for privacy.
Are SMS Messages Private?
SMS messages are not private. Short messaging service texts are clear or plain text with no encryption. The content must be logged on several sets of servers as each message part makes its way between phones. The mobile cellular providers keep these logs for varying and undisclosed amounts of time.
MMS Builds On Top of SMS
Multimedia Messaging Service, or MMS, was developed on top of SMS as a way to send different types of media like pictures, audio clips, and even short, low-quality video. The MMS standard started in 2009 and increased the size of transmitted data to 300KB. The initial rollouts of the systems were unstable and MMS messages were expensive and unreliable. Around the same time, mobile internet service became common, and in many markets, it was a better alternative to MMS.
More Space But Still No Encryption
With the increased message size, transmitting encrypted messaging could have been possible. The problem was that each phone would need to standardize how to encrypt and decrypt messages. Establishing a standard for the in-built MMS applications across phone manufacturers was impractical on “dumb phones” and smartphone app developers have since focused on transmitting encrypted messages across the more-efficient Internet. Bottom line…
There’s an app for that.(tm) Apple, Inc. December 4, 2009
What Are the Uses of a VPN?
There are two uses for a VPN. A trustworthy Virtual Private Network service secures your internet traffic, preventing viewing or tampering of the data. Routing traffic through a VPN adds a high-level of privacy. A VPN can also allow access to region-restricted online content and websites.
Secure and Hide Your Internet Traffic
Now that we understand how standard SMS works, we can see that using a VPN does not encrypt text messages.
A VPN provides security by encrypting your internet traffic from your internet service provider and other users on the same Wi-Fi network. It also alters the Internet Protocol or IP address recorded by the destination online service. Altering this part of your metadata helps anonymize your online profile or fingerprint.
Since SMS text messages are sent across your mobile phone’s cellular voice control channel, they are not part of standard internet traffic. Your VPN connection is not involved.
Access to Region-Restricted Content
Another benefit of having a VPN connection is the ability to get around region restrictions. Some content providers choose to limit the audience that is permitted to access their content. While it is not a bulletproof solution, a VPN can assist in gaining access to the content, website, or service.
How To Encrypt a Text Message
To encrypt a SMS text message, the only viable option is to use a text pasting service like PrivateBin which provides a link to a encrypted message. The link fits within a standard SMS length limitation. Ideally, users should stop using SMS texts and switch to a modern messenger with end-to-end encryption.
There are a lot of messenger apps on the main app stores. In fact, we have a breakdown of 10 secure messaging apps and how well they deliver self-destructing messages.
Pro Tip: When signing up for an instant messaging service, do not allow the secure messaging app to access your contact list. Provide as little of your real information as possible.
The easiest replacement for SMS and MMS is Whatsapp. While owned by Facebook, the Whatsapp service provides end-to-end encryption for iOS and Android mobile operating systems. It’s a drop-in replacement for the default messaging apps, Android Messages and Apple iMessage.
The sign-up process uses your existing mobile phone number as your account instead of a username. Using a phone number for registration provides a decent level of identity assurance i.e., you’re texting with who you think you are texting. The privacy concern is that the Whatsapp messaging system has metadata on its user base, making only message content truly secure, but this hasn’t detracted from its popularity.
This article from the website Business of Apps notes that as of October 2018, the latest available statistics put
“WhatsApp in the number one spot in a ranking of global messenger apps, with some 200 million more users than Facebook Messenger.”
-Mansoor Iqbal, Updated: February 19, 2019
With 1.5 billion monthly active users (MAU) across 180 countries, it’s pretty clear social proof that Whatsapp is a step in the right direction, but it’s NOT the best for sending encrypted texts.
The most secure replacement for SMS and MMS is the Signal Messenger app when both parties are using the app.
Founded only one year after Whatsapp, security researcher Moxie Marlinspike and roboticist Stuart Anderson co-founded Open Whisper Systems. The company produced several versions of secure communication apps which eventually evolved into the Signal Messenger app.
Use anything by Open Whisper Systems.Edward Snowden, whistleblower and privacy advocate
Whatsapp uses Signal’s encryption protocol to secure the transmission, but the important difference is in the transparency of the app and how your data is handled while stored and accessed on your phone.
- The Signal Messenger app is open-source meaning its code can be inspected and verified by anyone. This allows an extra layer of assurance proving the app is doing what it promises. Whatsapp is closed and proprietary.
- The Signal Messenger forgoes risky features purposefully not offering data backups or web-based access that might expose your text messages to being intercepted.
The sign-up process is very similar to WhatsApp. As long as both the sending and receiving users have Signal Messenger, the text messages between the two mobile devices are encrypted end-to-end.
I am regularly impressed with the thought and care put into both the security and the usability of this app. It’s my first choice for an encrypted conversation.Bruce Schneier, internationally renowned security technologist
We have a couple of other mobile messengers listed on our recommended tech page which are also open-source and provide greater levels of private messaging than Signal. The listed apps include the same data protection functionality (digital certificate verification) and additional features (video and phone calls) above simple text-based communication.
Just like most email, standard SMS text messages are like postcards. Anyone at any point from sending, transmitting, and receiving can potentially read who it’s from, who it’s to, and the message contained within. Security experts agree that it’s time to upgrade to a modern private messenger to protect your user data and online privacy.
Related Questions & Tips
Are iPhone text messages encrypted?
Sometimes. If the sender and the receiver are both using iMessage, then the Apple-only service is using end-to-end encryption to transmit these texts. This is much better than standard SMS, but the system is not completely secure. iCloud backups including iMessage history may be accessible by Apple.
How do I remove encryption from text messages?
Removing encryption from your text messages will expose your data and make you less-secure. If it is important to store a piece of content unencrypted, then simply select one or more messages, copy and paste it into a plain-text note or email it to yourself.
Is Google’s RCS Chat protocol a replacement of SMS and an answer to iMessage?
Google’s RCS will be a valuable replacement for the standard SMS. The older texting system will be kept as a fallback on Android, but the new protocol could leap-frog Apple’s iMessage reaching more users across phone manufacturers and cellular service providers.