India’s swift U-turn over mandatory mobile security app

• The Indian government told smartphone firms on 28 November they had to pre-install a state security app on devices to be sold in the country and had 90 days to comply
• The move resulted in an outcry from security and privacy experts and, according to reports, smartphone makers pushed back on the order 
• Just days later the government reversed the mandatory installation directive

Only days after telling smartphone manufacturers, such as Samsung, Apple and Xiaomi, they had 90 days to pre-install a state security app on all smartphones being shipped to India, one of the largest mobile markets in the world, India’s government has reversed its ruling following an outcry from security and privacy experts and, according to reports, pushback from Apple and Samsung. 

On 1 December, the Indian government’s Department of Telecommunications (DoT) announced it had instructed phone-makers on 28 November that they had just three months to comply with a pre-install directive for the state’s Sanchar Saathi app and that manufacturers and importers had to “endeavour” to install the app on devices already being used in the country via software updates. In addition, the app should be installed in such a way that it couldn’t be disabled or have any functions restricted. 

The government stated the app has been designed to “safeguard the citizens from buying the non-genuine handsets, enabling easy reporting of suspected misuse of telecom resources and to increase effectiveness of the Sanchar Saathi [mobile device security] initiative.”

It stated: “The DoT is undertaking the Sanchar Saathi initiative for curbing misuse of telecom resources for cyber frauds and ensuring telecom cybersecurity. The DoT has developed the Sanchar Saathi portal and app, which enables citizens to check the genuineness of a mobile handset through the IMEI [international mobile equipment identity] number along with other facilities like reporting suspected fraud communications, lost/ stolen mobile handsets, check mobile connections in their name, trusted contact details of banks/ financial institutions.”

The announcement had, potentially, far-reaching impact. India is one of the largest mobile markets in the world, with about 1.18 billion mobile users at the end of October, according to the Telecom Regulatory Authority of India (TRAI). In terms of smartphones, manufacturers shipped 151 million devices to India in 2024, according to research firm IDC. 

Understandably, the announcement generated a fierce response from privacy and security experts and groups. The Internet Freedom Foundation stated: “The direction by requiring manufacturers and importers of mobile handsets to pre-install the Sanchar Saathi app represents a sharp and deeply worrying expansion of executive control over personal digital devices. The stated objective of curbing IMEI fraud and improving telecom security is, on its face, a legitimate state aim. But the means chosen are disproportionate, legally fragile and structurally hostile to user privacy and autonomy… In plain terms, this converts every smartphone sold in India into a vessel for state-mandated software that the user cannot meaningfully refuse, control or remove. For this to work in practice, the app will almost certainly need system-level or root-level access, similar to carrier or OEM [original equipment manufacturer] system apps, so that it cannot be disabled. That design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user.”

The Indian government attempted to allay concerns with a statement from communications minister Jyotiraditya Scindia on 2 December. He stated that the app is “completely democratic and fully voluntary” and claimed that “users can activate the app at their convenience to access its benefits, and they may deactivate or delete it from their devices at any time. “Sanchar Saathi is both an app and a portal that enables citizens to secure themselves through transparent, easy-to-use tools. It is a significant step toward Jan Bhagidari, where citizens actively participate in protecting their own digital ecosystem,” he said.

At the same time, Reuters reported that Apple had already decided it wouldn’t comply and would share its concerns with the DoT. 

Then on 3 December, the Indian government caved in to the pressure and announced it had “decided not to make the pre-installation mandatory for mobile manufacturers.”

The somewhat laughable official reason given for the U-turn is that the app is already proving incredibly popular with India’s mobile users, who are downloading and installing it themselves. 

The DoT stated: “The government, with an intent to provide access to cybersecurity to all citizens, had mandated pre-installation of the Sanchar Saathi app on all smartphones. The app is secure and purely meant to help [protect] citizens from bad actors in the cyber world. It helps in ‘Jan Bhagidari’ by all citizens reporting on such bad actors and actions while protecting users themselves. There is no other function other than protecting the users in the app and they can remove the app whenever they want… So far, 1.4 crore [14 million] users have downloaded this app and are contributing to information on 2,000 fraud incidents per day. The number of users has been increasing rapidly and the mandate to install the app was meant to accelerate this process and make the app available to less aware citizens easily. Just in the last day, 6 lakh [600,000] citizens have registered to download the app, which is a [tenfold] increase in its uptake. This is affirmation of the faith [of] citizens [in] this app for protecting themselves, provided to them by the government. Given Sanchar Saathi’s increasing acceptance, the government has decided not to make the pre- installation mandatory for mobile manufacturers.” 

Will we see heavy-handed cybersecurity directives from the Indian government again? Will this U-turn cause it to rethink its approach to digital initiatives? Answers on an app, please…

- Ray Le Maistre, Editorial Director, TelecomTV