India is proposing a new security measure that would require smartphone manufacturers to provide their source code

The Indian government has proposed a major overhaul of smartphone security requirements under the “Indian Telecom Security Assurance Requirements.” This includes a package of 83 security standards that are supposed to enhance user data protection amid rising online fraud and cyber threats in the country’s massive smartphone market. 

Tech giants like Apple and Samsung are opposed to the move, claiming that the package lacks any global precedent and could reveal proprietary details and trade secrets, especially the source code, something Apple protects fiercely and has in the past resisted sharing with countries like the US and China. 

However, the country claims the demands are part of Prime Minister Narendra Modi’s broader strategy to strengthen cybersecurity in India, which is the world’s second-largest smartphone market.

India’s government makes demands of phone makers

Below is a list of some of the security requirements India is proposing for smartphone makers like Apple and Samsung, which has prompted behind-the-scenes opposition from tech companies.

• Source code disclosure mandating manufacturers to not only test but also provide proprietary source code for review by government-designated labs, expected to identify vulnerabilities in the phone operating systems that could be exploited by attackers.
• Background permission restrictions that restrict apps from accessing cameras, microphones or location services in the background while phones are inactive, and when those permissions are active, a continuous status bar notification is required 
• Permission review alerts that demand devices to periodically display warnings prompting users to review all app permissions, with continuous notifications.
• One year-long log retention, which requires devices to store security audit logs, including app installations and system logs, for up to 12 months.
• Periodic malware scanning, where phones must periodically scan for malware and identify any potentially harmful applications.
• Option to delete pre-installed apps that come bundled with the phone operating system, except those essential for basic phone functions. 
• Informing a government organization before releasing any major updates or security patches.
• Tamper-detection warnings that detect when phones have been rooted or “jailbroken”, and display continuous warning banners to recommend corrective measures.
• Anti-rollback protection that permanently blocks the installation of older software versions, even if officially signed by the manufacturer, to prevent security downgrades.

What tech companies think of the requirements 

The Indian Government has defended the security requirements by claiming it is to protect its citizens, a move that aligns with Narendra Modi’s data security push. However, major players like Samsung, Apple, Xiaomi, and Google, represented by MAIT, the Indian industry group that represents these firms, have expressed opposition, especially regarding the sharing of source code. 

“This is not possible … due to secrecy and privacy,” MAIT, the group representing the smartphone makers, said in a confidential document drafted in response to the government proposal. “Major countries in the EU, North America, Australia, and Africa do not mandate these requirements.”

They claim that there is also no reliable way to detect jailbroken phones or prevent tampering, saying that the anti-rollback lacks standards, and that many pre-installed apps need to be kept as they are critical system components. 

MAIT has reportedly asked the ministry to drop the proposal, according to a source with direct knowledge. The documents from the firm also say regular malware scanning would significantly drain a phone’s battery and that it is “impractical” to seek government approval for software updates, as they are supposed to be timely fixes. 

As for the phone logs that the government has requested to be stored for at least 12 months on devices. MAIT claims most devices lack the capacity to store such logs on them, making it an impossible request to fulfill. 

In response to the points made by MAIT, IT Secretary S. Krishnan claimed that any legitimate concerns of the industry will be addressed with an open mind, while adding that it was “premature to read more into it.”

Meanwhile, a ministry spokesperson refused to comment further, claiming consultation was ongoing with the tech companies on the proposals.

The smartest crypto minds already read our newsletter. Want in? Join them.