In a move to bolster national cybersecurity, the Indian government has proposed a sweeping set of new security regulations for smartphones. However, these proposals—which include a controversial requirement for companies to share their proprietary source code—have sparked significant pushback from global technology giants like Apple, Samsung, Google, and Xiaomi.
The rules, part of a package of 83 security standards known as the Indian Telecom Security Assurance Requirements (ITSAR), represent a major shift in how the world’s second-largest smartphone market intends to regulate mobile hardware and software.
The Core of the Controversy: Source Code Disclosure
The most sensitive provision in the draft rules is the requirement for smartphone manufacturers to provide their source code—the underlying “blueprint” of an operating system—for review by government-designated laboratories.
Government Objectives
According to government documents, the goal is to conduct “vulnerability analysis” to ensure that devices do not contain hidden backdoors or security flaws that could be exploited by malicious actors or foreign states.
Industry Pushback
Tech companies, represented by the industry group MAIT, have stated that this requirement is “not possible.” They argue that:
- Trade Secrets: Source code is the most closely guarded intellectual property of tech firms.
- Privacy Risks: Disclosing code could inadvertently create new security vulnerabilities.
- Lack of Precedent: No other major market, including the EU or North America, mandates such a level of disclosure for consumer devices.
Key Security Requirements for Manufacturers
Beyond the source code, the proposed rules introduce several other mandates that would fundamentally change the user experience and device performance.
1. Control Over Pre-installed Apps and Permissions
The government wants to give users more control over their privacy by requiring:
- Deletable Bloatware: The ability to uninstall most pre-installed applications that come bundled with the OS.
- Background Restrictions: Blocking apps from accessing cameras, microphones, or location services while the phone is inactive or the app is running in the background.
2. Monitoring and Maintenance
To combat the rise in online fraud and malware, the rules propose:
- Mandatory Malware Scanning: Periodic, automatic scans of the device for harmful applications.
- Extended Log Retention: Requiring devices to store security audit logs (such as login attempts and app installations) for 12 months.
3. Update Pre-notifications
Manufacturers would be required to notify the National Centre for Communication Security (NCCS) before releasing major software updates or security patches, allowing the agency time to test them.
Industry Concerns and Practical Challenges
Technology firms have voiced concerns that these rules are not only unprecedented but also technically “impractical.”
Performance and Battery Life
Industry representatives argue that continuous, mandatory malware scanning and the storage of a year’s worth of system logs would significantly drain battery life and consume precious hardware storage space on consumer-grade devices.
Security Delays
The requirement to notify the government before releasing patches is a major point of contention. Companies argue that during “zero-day” exploits, security fixes must be deployed immediately. Any delay caused by government review could leave millions of Indian users vulnerable to active cyberattacks.
Market Impact
With India hosting nearly 750 million smartphone users, the stakes are high. While New Delhi has previously backed down on similar mandates—such as a recent order to pre-install a state-run cyber safety app—the government appears more determined to enforce these standards as part of a broader push for digital sovereignty.
Next Steps in the Negotiation
The Ministry of Electronics and Information Technology (MeitY) has indicated that it is open to addressing “legitimate concerns” of the industry. High-level meetings between government officials and tech executives are expected to continue as both sides seek a middle ground between national security and corporate intellectual property.