In a significant move to bolster cybersecurity, the Indian government has proposed a sweeping set of new regulations that would require smartphone manufacturers to share their proprietary source code with authorities. This proposal is part of a broader package of 83 security standards aimed at protecting user data in the world's second-largest smartphone market, which boasts nearly 750 million devices.
Behind-the-Scenes Opposition from Tech Giants
The proposed security overhaul, which also includes mandates for companies to alert the government about major software updates, has triggered strong behind-the-scenes opposition from industry leaders. Tech behemoths including Apple and Samsung have pushed back, arguing that the requirements lack any global precedent and pose a severe risk to their intellectual property and trade secrets. This information comes from confidential government and industry documents reviewed by Reuters and four individuals familiar with the ongoing discussions.
IT Secretary S. Krishnan addressed the concerns, stating that the government would address any legitimate industry issues with an open mind and that it was premature to draw conclusions. A ministry spokesperson declined further comment, citing ongoing consultations with the technology companies involved.
Key Demands of the New Security Framework
The proposed Indian Telecom Security Assurance Requirements form a comprehensive and stringent framework. Among the most contentious demands is government access to a device's source code—the fundamental programming instructions that make a smartphone function. According to the proposals, this code would be analyzed and potentially tested at designated laboratories within India.
Beyond source code access, the rules would enforce several software-level changes on devices sold in India. These include:
- The ability for users to uninstall pre-installed applications.
- Blocking apps from accessing a phone's camera and microphone in the background to prevent malicious usage.
- Mandatory automatic and periodic malware scanning on the device.
- Storing system activity logs on the device for a minimum of 12 months.
- Informing the National Centre for Communication Security about major software updates and security patches before public release, granting the centre the right to test them.
Industry's Stance and Practical Challenges
The industry, represented by groups like the Manufacturers' Association for Information Technology (MAIT), has raised significant practical and philosophical objections. In a confidential document, MAIT argued that a complete security assessment and source code review is "not possible" due to secrecy and privacy concerns. They pointed out that major markets in the EU, North America, Australia, and Africa do not impose such mandates.
Smartphone makers guard their source code fiercely. Apple famously declined similar requests from China between 2014 and 2016, and U.S. law enforcement has also faced challenges in obtaining it. The industry body has also highlighted technical hurdles, stating that constant malware scanning would drain battery life significantly, seeking pre-approval for software updates is "impractical" for timely security patches, and most devices lack the storage capacity to hold a full year of system logs.
This proposal is the latest in a series of tussles between the Indian government and technology firms. It follows last year's mandate for rigorous testing of security cameras over espionage fears and last month's revocation of an order requiring a state-run cyber safety app on phones after surveillance concerns were raised.
With smartphone market shares led by Xiaomi (19%), Samsung (15%), and Apple (5%), the outcome of these discussions, including a key meeting scheduled for Tuesday between IT ministry officials and tech executives, will have profound implications for the future of mobile technology and data security in India.
