Featured image of post India's Controversial Smartphone Security Rules: Source Code Access and Beyond
Technology

India's Controversial Smartphone Security Rules: Source Code Access and Beyond

India is proposing a sweeping package of smartphone security standards that would grant government access to device manufacturers’ source code, marking an unprecedented move that has triggered significant pushback from global tech giants including Apple, Samsung, and Google.

The Proposal: What India Wants

The Indian government is considering making 83 security standards legally binding, a package that includes several contentious requirements. At the center of the debate is a proposal requiring device makers to allow designated Indian labs to review and analyze smartphone source code—the core instructions controlling how devices operate. The proposal would also require companies to notify the government before rolling out major software updates and security patches.

Beyond source code access, the proposed rules include:

  • Mandatory periodic malware scanning on all devices
  • Removal of the ability for apps to access cameras or microphones while running in the background
  • Allowing users to uninstall preinstalled apps
  • Storage of system activity logs on devices for at least 12 months
  • Government notification and testing of updates before public release

Why Industry Is Resisting

Tech companies argue this represents uncharted regulatory territory. According to internal government documents reviewed by Reuters, officials acknowledged that “globally security requirements have not been mandated by any country” in this manner. The tech industry group MAIT, representing companies like Apple, Samsung, Google, and Xiaomi, warned the government that source code access risks revealing proprietary information.

Companies have raised several practical concerns. Constant malware scanning could drain battery life, requiring government approval for security patches would slow critical updates, and most devices lack sufficient storage capacity to maintain 12 months of system logs.

Government’s Response

India’s Ministry of Electronics and Information Technology has denied the proposal requires full source code handover, characterizing the ongoing talks as consultations about “best international practices” rather than mandatory demands. IT Secretary S. Krishnan stated that “any legitimate concerns of the industry will be addressed with an open mind.” However, this denial comes despite Reuters’ review of internal government and industry documents confirming the source code requirement.

Context: A Pattern of Controversial Tech Policy

India’s latest proposal follows a pattern of aggressive digital control measures. Last month, the government withdrew an order requiring state-backed cyber safety apps to be preinstalled on smartphones after intense public and industry backlash. Days later, officials proposed requiring smartphones to keep location services permanently enabled with no option to disable them.

India’s previous cybersecurity initiatives have also faced resistance. In 2022, the government introduced a directive requiring organizations to report cybersecurity incidents within six hours, but compliance proved minimal and largely unenforced.

What’s Next

Government officials and industry executives were scheduled to meet for further discussions, with more formal meetings planned throughout the week. As India weighs these proposals for its market of nearly 750 million smartphones, the outcome could set precedents for how other nations approach device security regulation and foreign technology company oversight.

Photo by StefanCoders on Pixabay