RCS Security Audit: Tools to Scan Clients and Network Flows for Implementation Flaws

Hook: Why RCS security audits matter to developers and admins in 2026

RCS adoption accelerated across networks and endpoints in 2024–2026, but implementation gaps remain. Your team needs a compact, practical playbook to verify whether RCS clients and carriers are actually enforcing end-to-end encryption, or silently downgrading to carrier-side encryption and leaking metadata. This guide lists the tools, commands, tests, and automation patterns to audit RCS clients and network flows for encryption downgrade, metadata leaks, and handshake weaknesses.

Executive summary — what you can and will test first

• Detect whether an RCS session used MLS/E2EE or fell back to carrier-mediated encryption.
• Find metadata exposure (IMSI/MSISDN/headers/IPs) in network captures and logs.
• Audit TLS handshakes and certificate validation (versions, ciphers, pinning).
• Fuzz SIP/MSRP/MLS-capability messages to surface client and carrier robustness issues.
• Integrate these checks into CI/CD and testbeds so regressions are caught early.

2026 context — why this is urgent

By 2026 the industry trend is clear: vendors and carriers are increasingly adopting the IETF Messaging Layer Security (MLS) model and GSMA Universal Profile 3 variants for RCS E2EE. Major OS vendors added MLS-related codepaths in late 2024–2026, but deployment is staggered. That stagger creates an audit surface: interop fallbacks, carrier toggles, and accidental metadata exposure. Attackers and network appliances still exploit gaps by forcing downgrade or exfiltrating metadata, so you must verify both client behaviour and the carrier path.

Threat model — what we’re testing for

• Encryption downgrade: client or carrier falling back from MLS/E2EE to server-mediated TLS or cleartext.
• Metadata leak: persistent identifiers (IMSI, MSISDN, device IDs), presence and capability leaks, or unintended header propagation.
• Handshake weaknesses: weak TLS (TLS 1.0/1.1), static RSA ciphers, absent forward secrecy, broken certificate validation, or flawed MLS handshake implementations.
• Robustness flaws: parsing errors, out-of-spec behavior exposed by fuzzing.

Testbed and legal basics — prepare before you touch production

Always test on controlled SIMs and lab networks. Do not intercept production traffic without explicit authorization. For carrier audits coordinate with legal and carrier contacts. Recommended lab items:

• Two test devices (Android + iOS) with developer builds or beta firmware where possible.
• SIMs authorized for testing; a small private LTE/5G core (Open5GS) or a soft-RAN for isolated traffic.
• Packet broker or network TAP, and a machine running Wireshark / Tshark / Zeek.
• SIP/MSRP test clients (sipp, msrpd clients) and a SIP server you control (Asterisk/FreeSWITCH) for injection/fuzzing scenarios.

Essential tools — the toolbox for RCS audits

These are the practical, proven tools you’ll use end-to-end.

• Wireshark / Tshark — packet capture and protocol-level filters for SIP, MSRP, TLS, and custom payloads.
• Zeek (Bro) — flow and TLS/HTTP extraction, JA3/JA3S fingerprints, and scripted analyzers.
• mitmproxy — useful in device emulation testbeds where you can instrument TLS termination for client testing (only with test keys).
• openssl / testssl.sh / sslyze — TLS and certificate checks against servers.
• sipp — SIP generator and basic fuzzing; useful to emulate carrier or client SIP exchanges at scale.
• Scapy / boofuzz — craft malformed SIP/MSRP/TLS fragments and fuzz handshake logic.
• Frida / Objection — dynamic instrumenting Android/iOS clients to inspect capability advertising and E2EE logic.
• jadx / apktool — static analysis of Android APKs for capability flags, MLS libs, and certificate pinning code.
• apksigner / keytool — inspect APK signatures and bundled certs.
• JA3 tools / Zeek TLS plugin — fingerprint client and server TLS handshakes to catch downgrades or middleboxes.

Network capture: what to collect (and how)

Capture the full 3-tuple traffic and signalling. Typical RCS flows involve SIP (5060/5061), MSRP (2855), and HTTPS (443). Use a capture like:

sudo tcpdump -i any -w rcs_lab.pcap port 5060 or port 5061 or port 2855 or port 443

Useful Tshark extraction commands:

# Extract SIP transactions
tshark -r rcs_lab.pcap -Y sip -T fields -e frame.number -e sip.Request-Line -e sip.From -e sip.To -E separator="," 

# Extract TLS handshake versions & ciphers
tshark -r rcs_lab.pcap -Y 'tls.handshake' -T fields -e frame.number -e tls.handshake.version -e tls.handshake.ciphersuite -E separator=","

Look for TLS versions in client_hello and server_hello. If you see TLS 1.0/1.1 or only RSA kx without ECDHE, flag it as high risk.

Detecting encryption downgrade

Encryption downgrade tends to manifest as one of these behaviours:

• Client advertises E2EE capability but carrier answers “not supported” or strips the capability header.
• TLS parameters change mid-session (client-hello uses TLS1.3, server responds TLS1.0), or TLS handshake aborted and new session is plain TLS.
• Presence of MLS handshake frames is absent where expected.

Step-by-step detection

1. Capture the SIP OPTIONS / presence / capability exchange around session start.
2. Filter for capability headers. Example tshark line to show SIP headers:

tshark -r rcs_lab.pcap -Y sip -T fields -e sip.Method -e sip.Contact -e sip.User-Agent -e sip.Header

# Or show specific header lines containing 'e2ee' or 'mls'
tshark -r rcs_lab.pcap -V -Y 'sip && frame contains "e2ee"' | sed -n '1,120p'

If you identify a header such as "Capability: e2ee=1" on the client but the carrier’s response lacks that header (or strips it), you have evidence of an active downgrade or passive metadata suppression.

TLS-level checks

Use openssl to probe endpoints observed in the capture:

openssl s_client -connect rcs.carrier.example.com:443 -servername rcs.carrier.example.com -tls1_3

# Check certificate fingerprint
openssl s_client -connect rcs.carrier.example.com:443 -showcerts 

Then extract the leaf certificate hash:

openssl x509 -noout -fingerprint -sha256 -in leaf.pem

Look for lack of ECDHE in the accepted ciphers or server accepting downgraded TLS versions — both indicators of downgrade or middlebox interference.

Finding metadata leaks in captures

Metadata often leaks in headers, presence XML/XCAP, or reflected in HTTP/S endpoints. Tasks to run:

1. Search pcap for common identifiers:

strings rcs_lab.pcap | egrep -i 'imsi|msisdn|imei|phone|msisdn|subscriber|msrpid|xcap' | sort -u

Be thorough: check SIP headers (From, To, P-Asserted-Identity, P-Access-Network-Info), MSRP payloads, and XCAP/presence documents. Example Tshark extraction of SIP P-Asserted-Identity:

tshark -r rcs_lab.pcap -Y 'sip && sip.Authorization' -T fields -e sip.P-Asserted-Identity

Run Zeek to extract higher-level logs including http.log and x509.log which make it trivial to correlate flows to endpoints:

zeek -r rcs_lab.pcap local
# Check zeek logs http.log and ssl.log for sensitive fields

Handshake weaknesses — TLS and MLS

Check TLS for:

• Supported versions (should be TLS 1.2+ with TLS 1.3 strongly preferred).
• Forward secrecy (ECDHE ciphers present).
• Certificate chain validity and pinning policy verification on the client side.

Use testssl.sh or sslyze against server endpoints discovered in the trace:

./testssl.sh -p -U rcs.carrier.example.com:443
sslyze --regular rcs.carrier.example.com:443

For MLS-specific handshake checks, capture client logs (debug builds) or instrument clients with Frida to confirm key material exchange and MLS group state transitions. A typical dynamic instrumentation snippet with Frida will hook MLS library calls that create/update group state; a simple script can log those calls for analysis.

Fuzzing RCS clients and carriers

Fuzzing finds parsing bugs and unexpected fallback logic that can be exploited or create leaks. Recommended approach:

• Start with sipp to create malformed SIP OPTIONS, INVITE and presence documents. Use scenarios to mutate headers and observe client responses.
• Use boofuzz or Scapy to mutate MSRP payloads and MLS handshake fields — focus on length fields, TLV parsing, and capability flags.
• Fuzz TLS handshake extensions or client_hello fields to see if middleboxes cause unexpected behavior and downgrades.

Example sipp command to push a malformed OPTIONS:

sipp -sf malformed_options.xml -s target_user -p 5060 carrier.example.com:5060 -m 1

Monitor the client for crashes, exceptions in logs, or fallback to non-E2EE sessions.

Static and dynamic client analysis

Inspect the client APK/IPA to verify how capability advertising and MLS are implemented.

Android APK checklist

1. Unpack and inspect:

   apktool d app.apk -o app_src
   jadx -d jadx_out app.apk

2. Search for MLS or capability strings:

   grep -R "mls" app_src | head
   grep -R "e2ee" app_src

3. Verify APK signature and certs:

   apksigner verify --print-certs app.apk

4. Dynamic: attach Frida to intercept capability advertisement and MLS library calls:

   frida -U -f com.example.rcs -l inspect_mls.js --no-pause

On iOS device tooling varies — use testflight/debug builds and dynamic instrumentation on test devices when permitted.

Carrier testing: simulating and analyzing server-side behavior

You can emulate a carrier SIP/MSRP environment and compare behavior:

1. Deploy a test SIP server (Asterisk/FreeSWITCH) and an MSRP endpoint; control the headers and capability responses.
2. Use sipp to send client-like OPTIONS with E2EE capabilities and observe server responses; automate header mangling to detect at what point clients fallback.
3. Instrument the server with logging and compute packet traces to show header stripping or insertion.

When validating a real carrier, request a test interface and use controlled test numbers. If the carrier refuses cooperation, document the tests and do not use live customer data.

Automation & CI: integrate RCS tests into pipelines

Audits should not be one-off. Add these into CI/CD for clients and server integrations:

• Automated pcap generation and parsing using Tshark scripts run in test farms.
• Zeek processing to produce human-readable logs and trigger alerts for weak TLS or header leaks.
• Unit tests for the client MLS stack that validate MLS group state, ratchet operations, and serialization/deserialization boundaries (prevent regressions introduced by library updates).

Advanced checks and indicators of compromise

Monitor for these more subtle signs:

• JA3/JA3S drift: client TLS fingerprints that suddenly change may indicate a middlebox replacing TLS or an active downgrade.
• TLS session splitting: simultaneous TLS handshakes from a client to the same endpoint using different cipher sets.
• Repeated retransmissions with different headers: carrier rewriting or on-path manipulation.

Zeek can be scripted to produce alerts for these anomalies.

Mitigations and recommendations for developers and carriers

• Enforce MLS/E2EE by default; use explicit user consent for downgrades and make fallback visible in the UI.
• Minimize metadata exposure: use ephemeral identifiers where possible and avoid including IMSI or MSISDN in payloads or headers.
• Implement strict certificate validation and certificate pinning for known RCS endpoints—use pinning carefully and provide update channels.
• Log telemetry that records TLS versions and whether MLS handshake completed — useful for audits but avoid logging sensitive key material.
• Engage carriers in interoperability testing and specify minimal capability requirements (TLS1.3 + ECDHE + MLS enabled) in contracts and interop test cases.

Real-world example (mini case study)

In a controlled lab audit in late 2025 we saw an Android client advertise MLS capability via a SIP OPTIONS containing "caps:e2ee=mls". The carrier SIP proxy removed that header and responded as if not-capable. Tshark trace revealed the client sent client_hello with TLS1.3 but the carrier terminated TLS and re-originated a TLS1.2 session to a backend SMS app server.

Indicators collected:

• tshark output: client hello TLS1.3; server hello TLS1.2
• Zeek ssl.log: two separate TLS server endpoints rewriting SNI
• PCAP strings: presence document contained MSISDN in XCAP content (leaked metadata)

Result: carrier agreed to a lab-based remediation to preserve the capability header end-to-end and to route E2EE-capable sessions through a pass-through policy. This is the kind of measurable remediation you can expect when audits are clear and reproducible.

Checklist: immediate tests to run (copy/paste)

1. Capture traffic during RCS session startup: tcpdump -i any -w rcs.pcap port 5060 or 5061 or 2855 or 443
2. Search for capability headers: tshark -r rcs.pcap -Y 'sip && frame contains "e2ee"' -V
3. Extract TLS handshake fields: tshark -r rcs.pcap -Y 'tls.handshake' -T fields -e tls.handshake.version -e tls.handshake.ciphersuite
4. Probe servers: openssl s_client -connect host:443 -servername host -tls1_3
5. Static APK checks: apksigner verify --print-certs your_app.apk; jadx -d out your_app.apk
6. Dynamic checks: frida -U -f com.example.app -l hook_mls.js --no-pause

Future predictions — where RCS security goes after 2026

Expect wider MLS deployment across devices and carriers, but also a shift of attack focus to metadata correlation and middlebox manipulations. Carriers and vendors will increasingly expose diagnostic APIs for auditors; regulators will require proof-of-E2EE claims. For auditors, this means shifting from just TLS checks to telemetry correlation, JA3/JA3S tracking, and long-term metadata flow analysis.

Practical takeaway: proving E2EE requires both signalling validation (capabilities + MLS handshake) and transport-level verification (TLS + certificate validation). Don’t stop at “looks encrypted”.

Responsible disclosure and ethics

If you discover a downgrade or a metadata leak in a live carrier or widely distributed client, follow coordinated disclosure processes. Document your test steps, offer reproducer captures, and avoid publishing sensitive data from user traffic. Where possible, use vendor and carrier vulnerability disclosure programs.

Call to action

Start your RCS audit today: spin up a two-device testbed, run the Checklist above, and produce a reproducible packet capture and Zeek logs. If you want a template lab package (Tshark scripts, Zeek policy, Frida hooks, and sipp scenarios), download the filesdownloads.net RCS audit kit or contact our team to run a hands-on audit. Share anonymized findings back to the security community so we all raise the bar.

Related Reading

• Fog-Proof Fashion: What to Wear for a Photogenic Day at the Golden Gate
• Seasonal Ad Playbook: Using Total Campaign Budgets for Enrollment Peaks
• Flip Cards or Flip Servers? Calculating ROI on Booster Box Investments vs Spending on Hosting
• When AI Gets It Wrong: 6 Teacher Workflows to Avoid Cleaning Up After Student-Facing AI
• Personal Data Safety for Wellness Seekers: Navigating Gmail’s AI Trade-Offs