India plans obligations for smartphone makers, including source code access

India wants to oblige smartphone manufacturers to comply with a total of 83 security standards. These partially contradict the business interests of the companies and are vehemently rejected by them. According to Reuters, the catalog of requirements dates from 2023, but the Indian government is now considering obliging companies to comply with it. As the news agency reports, citing four sources and documents reviewed, the catalog contains a series of far-reaching provisions, the fulfillment of which appears partially unrealistic.

One of the most fiercely contested is likely the requirement for a "complete security assessment." Because in order to be able to check this, according to Reuters, test laboratories in India are to gain access to the source code of smartphones to review it and check for vulnerabilities. The at least partially proprietary source code is guarded suspiciously by smartphone manufacturers and is generally not made accessible to state or other external bodies. According to Reuters, the industry association MAIT – which represents Apple, Samsung, Google, and Xiaomi in India, among others – considers the requirement, not surprisingly, to be unfeasible and cites reasons of confidentiality and data protection. MAIT has urged the responsible IT ministry to drop the proposal.

According to Reuters, MAIT also objects to various other requirements from the catalog, some of which, however, seem quite sensible. For example, it is demanded that pre-installed apps can also be uninstalled (provided they are not required for basic telephony functions), or that apps are not allowed to access the camera, microphone, and location when they are in the background and the phone is not active. Regarding the former, MAIT complains that many apps are essential for critical system components, and regarding the latter, among other things, that no test method is defined for it.

Further critical provisions

However, other requirements from the catalog of provisions are also quite critical from a user's perspective. According to Reuters, smartphones should clearly indicate when a device has been rooted or security restrictions have otherwise been circumvented, and suggest "corrective measures" to the user. Smartphone owners who have intentionally rooted their device could be massively disturbed by this. However, manufacturers argue that there is no reliable method to detect modified devices.

According to Reuters, the Indian government also wants smartphone manufacturers to inform India's national center for communication security when they provide major updates or security patches. This should be done before the patches are delivered to users, and the center should be able to test the patches in advance. Such a requirement could lead to dangerous delays, especially with security updates. Reuters consequently quotes smartphone manufacturers as stating that such a provision is "not practicable" and could endanger users.

Not set in stone yet

Fundamentally, India seems inclined to listen to criticism. They are still in consultation with technology companies. IT Secretary Krishnan told Reuters that they would address all legitimate concerns of the industry with an open mind. In a similar case at the beginning of December 2025, India had obliged smartphone manufacturers to install a government security app on all devices. However, after widespread criticism, the government quickly backtracked.

(syt)