INDIA is considering a proposal that would require smartphone makers to share source code with the government and make several software changes as part of a broader set of security measures, according to a report.
The plan has triggered opposition from companies such as Apple and Samsung, people familiar with the discussions said.
The proposal includes 83 security standards and would also require companies to alert the government to major software updates. Industry representatives have argued the measures have no global precedent and could expose proprietary information, according to four people familiar with the talks and a Reuters review of confidential government and industry documents.
The plan is part of Prime Minister Narendra Modi’s push to strengthen user data security as online fraud and data breaches increase in India, the world’s second-largest smartphone market, which has nearly 750 million devices.
IT Secretary S. Krishnan told Reuters on Saturday that “any legitimate concerns of the industry will be addressed with an open mind,” adding that it was “premature to read more into it.”
A ministry spokesperson said in an emailed statement on Saturday that it could not comment further because consultations with technology companies were ongoing.
After the report was published, the IT ministry said late on Sunday that the consultations were aimed at developing “an appropriate and robust regulatory framework for mobile security” and that it “routinely” engaged with the industry “to better understand technical and compliance burden.”
The ministry also said it “refutes the statement” that it is considering seeking source code from smartphone makers, without elaborating or addressing the documents cited by Reuters.
Apple, Samsung, Google, Xiaomi and MAIT, the Indian industry body representing the companies, did not respond to requests for comment.
Technology firms in India have previously raised concerns over government requirements. Last month, the government revoked an order mandating a state-run cyber safety app on phones after surveillance concerns. Last year, it went ahead with rules requiring security testing for cameras amid concerns about Chinese spying.
Xiaomi and Samsung, whose phones run Google’s Android operating system, account for 19 per cent and 15 per cent of India’s smartphone market, while Apple has 5 per cent, according to Counterpoint Research.
One of the most sensitive elements of the proposed Indian Telecom Security Assurance Requirements is access to source code, which would be reviewed and possibly tested at designated Indian laboratories, according to the documents.
The proposals would also require software changes allowing users to uninstall pre-installed apps and block apps from using cameras and microphones in the background to “avoid malicious usage.”
“Industry raised concerns that globally security requirement have not been mandated by any country,” a December IT ministry document summarising meetings with Apple, Samsung, Google and Xiaomi said.
The standards were drafted in 2023 and are now under consideration for legal enforcement. Government officials and technology executives are due to meet on Tuesday for further discussions, sources said.
Smartphone companies closely protect their source code. Apple previously declined China’s request for source code between 2014 and 2016, and U.S. law enforcement agencies have also failed to obtain it.
Under India’s proposals for “vulnerability analysis” and “source code review,” companies would be required to conduct a “complete security assessment,” which Indian test labs could then verify through source code review and analysis.
“This is not possible … due to secrecy and privacy,” MAIT said in a confidential document seen by Reuters. “Major countries in the EU, North America, Australia and Africa do not mandate these requirements.”
A source with direct knowledge said MAIT asked the ministry last week to drop the proposal.
The proposals would also mandate automatic and periodic malware scanning on devices. Companies would be required to inform the National Centre for Communication Security about major software updates and security patches before releasing them, and the centre would have the right to test them.
MAIT said regular malware scanning would significantly drain battery life and that seeking government approval for software updates was “impractical” because updates often need to be released quickly.
India also wants system logs to be stored on devices for at least 12 months.
“There is not enough room on device to store 1-year log events,” MAIT said.
(With inputs from Reuters)
