Key Points
The Centre is considering imposing 83 new smartphone security standards, including government access to source codes and mandatory advance notice before software updates.
Smartphone manufacturers like Apple and Samsung argue the requirements lack global precedent and could expose proprietary systems and user security.
Digital rights groups say the proposals threaten mass surveillance, increase the risk of cyber attackers, lack statutory backing, and violate privacy safeguards laid down by the Supreme Court.
The Centre is pushing for an overhaul of smartphone security rules that would require device makers to share sensitive source code with government-designated laboratories and comply with a wide array of new software controls. The proposal was made public in a report by Reuters and a review of official documents by media and rights groups. The proposal has been met with backlash from smartphone manufacturers, prompting the government to issue a clarification on the issue.
At the heart of the plan are the Indian Telecom Security Assurance Requirements (ITSARs) – a set of 83 standards first drafted in 2023 by the National Centre for Communication Security (NCCS) under the Department of Telecommunications. These standards are now under discussion within the Ministry of Electronics and Information Technology (MeitY) with the possibility that they could be made mandatory through notification. Among the most contentious provisions is a requirement that smartphone manufacturers must provide access to proprietary source code for operating systems, enabling government-designated labs to conduct vulnerability analysis and source code reviews.
The ITSAR package goes beyond source code access. It would require manufacturers to notify a government agency before rolling out major software updates or security patches, mandate automatic and periodic malware scans on devices, and require phones to store detailed system logs, including app installations and login attempts, for at least 12 months. Other provisions would force device makers to allow users to uninstall most pre-installed apps, restrict background access to cameras and microphones, and introduce permanent anti-rollback protections that block installation of older software versions.
See Also: India Orders Smartphones to Pre-Install ‘Sanchar Saathi’, Faces Backlash Over Privacy Concerns
According to Reuters, the proposals have drawn strong behind-the-scenes resistance from global technology firms including Apple, Samsung, Google and Xiaomi, which lead India’s smartphone market. These companies, along with a representative body, the Manufacturers’ Association for Information Technology (MAIT), have argued that the proposed standards are unprecedented globally and risk exposing highly sensitive intellectual property.
Government officials, however, have sought to temper the concerns. According to officials, this is part of a broader push to strengthen data security in India, amid a surge in online fraud and breaches in the world’s second-largest smartphone market, which has nearly 750 million users.
IT Secretary S Krishnan told Reuters that “any legitimate concerns of the industry will be addressed with an open mind,” adding that it was premature to draw firm conclusions while consultations were ongoing. After the story broke, the IT Ministry issued a statement disputing suggestions that it was definitively seeking source code disclosure. It described the discussions as part of routine engagement with industry to develop “an appropriate and robust regulatory framework for mobile security,” following the enactment of the Telecommunications Act, 2023.
However, in a confidential submission accessed by Reuters, MAIT told the government that mandatory source code review was “not possible” due to corporate secrecy obligations and global privacy policies. The group pointed out that major jurisdictions in Europe, North America, Australia and Africa do not impose such requirements. It also warned that continuous malware scanning would significantly drain battery life, while requiring government notification or approval before releasing security updates would be impractical because such fixes are often time-sensitive and must be deployed quickly to protect users from active threats. MAIT further argued that consumer smartphones lack the storage capacity to retain a full year of detailed system logs.
The standoff reflects a familiar pattern in India’s technology policy. In recent years, the government has both rolled back and pushed through contentious digital mandates. In December 2025, it revoked an order requiring smartphones to preload a state-run cyber safety application after surveillance concerns caused a public uproar. Earlier, however, it pressed ahead with stringent testing rules for security cameras, citing fears of foreign spying, despite industry lobbying.
The Internet Freedom Foundation, a digital rights advocacy organisation, said the draft ITSAR requirements threaten user privacy and effectively turn every smartphone into a surveillance endpoint. In a detailed public statement, IFF argued that mandatory source code disclosure, 12-month log retention and government pre-approval of updates treat “every citizen as a suspect and every device as a surveillance endpoint.”
IFF said there is no clear statutory basis for the proposed requirements and no evidence of meaningful public consultation, noting that discussions appear limited to bilateral exchanges between the Centre and manufacturers. From a constitutional perspective, the organisation pointed to the Supreme Court’s landmark ruling in KS Puttaswamy vs The Union of India, which affirmed informational privacy as a fundamental right and held that any state intrusion must meet tests of legality, necessity and proportionality.
Technically, IFF warned, centralising access to proprietary source code in government-controlled labs would create a high-value target for cyber attackers. If such a repository were compromised, the security of millions of Android and iOS devices could be undermined at once. The requirement to retain detailed logs of app installations and login attempts for a year, it added, would generate a granular map of users’ private lives, associations and interests, violating basic principles of purpose limitation in data protection. The group also described the update notification requirement as counterproductive, arguing that bureaucratic delays could leave users exposed to known vulnerabilities.
Beyond privacy, IFF raised concerns about user autonomy and ownership. Provisions mandating tamper-detection warnings for rooted or jailbroken devices, and permanent anti-rollback protections, would, in its view, criminalise advanced users who customise their phones or extend the life of older hardware. Such measures, it argued, conflict with users’ right to repair and modify devices they own.
According to Reuters, tech executives and officials are scheduled to meet again this week to discuss the proposals. The outcome of this tussle between global tech companies and the Indian government is likely to shape not only the balance between security and privacy for users in India’s digital ecosystem but also access to and development of the domestic smartphone market.
[DS]
Suggested Reading: