India eyes smartphone source code in security overhaul
India proposes requiring smartphone manufacturers to share source code with the government and make various software changes as part of a set of security measures; This leads to behind-the-scenes opposition from giants like Apple and Samsung.
Technology companies have opposed the suite of 83 security standards, which include a requirement to warn the government of major software updates, saying they have no global precedent and risk revealing private details, according to four people familiar with the discussions and a Reuters review of confidential government and industry documents.
The plan is part of Prime Minister Narendra Modi’s efforts to improve the security of user data as online fraud and data breaches rise in the world’s second-largest smartphone market, with almost 750 million phones.
IT Secretary S Krishnan told Reuters that “legitimate concerns of the industry will be addressed with an open mind” and added that “it is premature to know more about this”.
A department spokesman said he could not comment further due to ongoing consultations with technology companies about the proposals.
Apple, South Korea’s Samsung, Google, China’s Xiaomi and MAIT, the Indian industry group that represents the companies, did not respond to requests for comment.
The Indian government’s requirements have bothered tech companies before. In December, he rescinded an order requiring the use of a government-run cybersecurity app on phones over surveillance concerns.
But the government put its lobbying efforts aside in 2025 and mandated strict testing of security cameras due to fears of Chinese espionage.
According to Counterpoint Research’s estimates, Xiaomi and Samsung, whose phones use Google’s Android operating system, hold 19 percent and 15 percent of the market share in India, respectively, while Apple holds five percent.
Among the most sensitive requirements in the new Indian Telecom Security Assurance Requirements is access to source code, the basic programming instructions that make phones work.
Documents show that it will be analyzed and possibly tested at designated laboratories in India.
India’s proposals also require companies to make software changes to allow pre-installed apps to be removed and to prevent apps from using cameras and microphones in the background to “prevent malicious use.”
“The industry has expressed concerns that the global security requirement has not been mandated by any country,” said the December IT ministry document, which details officials’ meetings with Apple, Samsung, Google and Xiaomi.
Safety standards drafted in 2023 are under the spotlight as the government considers enforcing them legally.
The IT ministry and technology executives will meet on Tuesday for further discussions, sources said.
Smartphone manufacturers closely guard their source codes. Between 2014 and 2016, Apple denied China’s request for source code, and US law enforcement also tried but failed to obtain it.
India’s “vulnerability analysis” and “source code review” proposals would require smartphone manufacturers to conduct a “complete security assessment”, after which testing labs in India would be able to check their claims through source code review and analysis.
“This is not possible due to confidentiality and privacy reasons,” MAIT said in a confidential document prepared in response to the government proposal and seen by Reuters.
“Major countries in the EU, North America, Australia and Africa do not impose these requirements.”
India’s proposals would mandate automatic and periodic malware scanning on phones.
Device manufacturers will also be required to notify the National Communications Security Center of major software updates and security patches before rolling them out to users, and the center will have the right to test them.
MAIT’s document says that regular malware scanning significantly drains the phone’s battery and that obtaining government approval for software updates is “not feasible” as these updates must be released immediately.
India also requires the phone’s logs (digital records of system activity) to be stored on the device for at least 12 months.
Australia’s Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national news channel and has been providing accurate, reliable and fast-paced news content to the media industry, government and corporate sector for 85 years. We inform Australia.
