Inside India’s plan to tighten control over smartphone software

• India weighs smartphone rules that would require source code access.
• Tech firms say the plan has no global precedent, could expose sensitive data.

India is weighing a set of new security rules that could change how smartphones are built, tested, and updated before they reach users. At the centre of the debate is a proposal that would require phone makers to share parts of their source code with the government and notify authorities before rolling out major software updates.

The plan has triggered quiet resistance from global technology firms, including Apple and Samsung, according to people familiar with the discussions and a review of internal government and industry documents. Company representatives argue that the measures go further than anything required in other major markets and could expose closely guarded technical details.

Why the government says it matters

As reported by Reutersthe proposed rules are part of a broader push by Prime Minister Narendra Modi’s government to tighten controls around user data and device security. India has become one of the world’s largest smartphone markets, with close to 750 million devices in use, while online fraud and data leaks continue to rise.

Officials say the process is still under discussion. IT Secretary S. Krishnan said that “any legitimate concerns of the industry will be addressed with an open mind,” adding that it was too early to draw conclusions. A spokesperson for the ministry declined to comment further, citing ongoing consultations with technology firms.

India has clashed with technology firms over security rules before. Last month, the government withdrew an order that would have required a state-backed cyber safety app to be installed on smartphones, following concerns about surveillance. In contrast, it pressed ahead last year with stricter testing rules for security cameras, brushing aside industry objections tied to cost and feasibility amid fears of foreign spying.

Source code becomes the fault line

The latest proposal, known as the Indian Telecom Security Assurance Requirements, goes further than past efforts. One of the most sensitive provisions would allow designated Indian labs to review and test smartphone source code. Source code contains the core instructions that control how a device operates, and companies typically treat it as one of their most valuable assets.

Under the plan, phone makers would also need to adjust their software to allow users to remove preinstalled apps and prevent apps from accessing cameras or microphones while running in the background. The goal, according to the documents, is to reduce the risk of “malicious use.”

Industry flags global precedent concerns

In a December internal note summarising meetings with Apple, Samsung, Google, and Xiaomi, officials acknowledged that “industry raised concerns that globally security requirements have not been mandated by any country.” The standards were drafted in 2023 but are now drawing more attention as the government considers giving them legal force. More meetings between officials and company executives are scheduled this week, according to people familiar with the talks.

Market share data shows why the issue matters to both sides. Xiaomi and Samsung, which use Google’s Android operating system, account for about 19% and 15% of India’s smartphone market. Apple holds roughly 5%, according to estimates from Counterpoint Research. Any new requirement would affect hundreds of millions of devices.

Why companies are pushing back

Companies argue that source code access crosses a line. Apple previously rejected similar requests from Chinese authorities between 2014 and 2016, and US law enforcement agencies have also failed to obtain it. Industry representatives say the Indian proposal for “vulnerability analysis” and “source code review” would require firms to complete full security assessments and then allow local labs to verify those claims by examining the code itself.

“This is not possible […] due to secrecy and privacy,” MAIT said in a confidential response to the government. The group added that regulators in the European Union, North America, Australia, and Africa do not impose comparable demands. According to a person with direct knowledge of the matter, MAIT formally asked the ministry last week to drop the source code requirement.

Practical concerns around updates and storage

Other elements of the proposal have also drawn push-back. Device makers would be required to run automatic and periodic malware scans on phones, alert the National Centre for Communication Security before releasing major software updates or security patches, and allow the agency to test those updates in advance.

MAIT warned that constant malware scanning could drain battery life and that waiting for government clearance before pushing updates could slow down the release of urgent fixes. “Seeking government approval for software updates is impractical,” the group said, arguing that security patches often need to be deployed quickly to limit harm.

Another requirement would force phones to store system activity logs on the device for at least 12 months. The logs track how the phone and its software behave over time. Industry representatives say most devices do not have enough storage to hold that volume of data. “There is not enough room on device to store 1-year log events,” MAIT said in its response.

For now, the proposals remain under review. The talks highlight a broader tension facing governments that want more oversight of digital infrastructure while relying on foreign firms to supply the devices their citizens use every day. How India resolves that tension could shape its own smartphone market and how other countries approach device security in the future.

Want to experience the full spectrum of enterprise technology innovation? Join TechEx in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click here for more information.