India has proposed requiring smartphone makers to share source code with the government and make several software changes as part of a raft of security measures, prompting behind-the-scenes opposition from giants like Apple and Samsung.
The tech companies have countered that the package of 83 security standards, which would also include a requirement to alert the government to major software updates, lacks any global precedent and risks revealing proprietary details, according to four people familiar with the discussions and a Reuters review of confidential government and industry documents.
The plan is part of Prime Minister Narendra Modi’s efforts to boost security of user data as online fraud and data breaches increase in the world’s second-largest smartphone market, with nearly 750 million phones.
IT secretary S Krishnan said on Saturday “any legitimate concerns of the industry will be addressed with an open mind”, adding it was “premature to read more into it”.
An IT ministry statement said late on Sunday that the consultations are aimed at developing “an appropriate and robust regulatory framework for mobile security”, and it “routinely” engaged with the industry “to better understand technical and compliance burden”.
The IT ministry added it “refutes the statement” that it is considering seeking source code from smartphone makers, without elaborating or commenting on the government or industry documents cited by Reuters.
Apple, South Korea’s Samsung, Google, China’s Xiaomi and MAIT, the Indian industry group that represents the firms, did not respond to requests for comment.
Source code
Indian government requirements have irked technology firms before. Last month it revoked an order mandating a state-run cybersafety app on phones amid concerns over surveillance. But the government brushed aside lobbying last year and required rigorous testing for security cameras over fears of Chinese spying.
Xiaomi and Samsung — whose phones use Google’s Android operating system — hold 19% and 15%, respectively, of India’s market share and Apple 5%, Counterpoint Research estimates.
Read: Trump’s visa overhaul hits India’s IT titans
Among the most sensitive requirements in the new Indian Telecom Security Assurance Requirements is access to source code — the underlying programming instructions that make phones work. This would be analysed and possibly tested at designated Indian labs, the documents show.
The Indian proposals also require companies to make software changes to allow pre-installed apps to be uninstalled and to block apps from using cameras and microphones in the background to “avoid malicious usage”.
“Industry raised concerns that globally, security requirements have not been mandated by any country,” said a December IT ministry document detailing meetings that officials held with Apple, Samsung, Google and Xiaomi.
The security standards, drafted in 2023, are in the spotlight now as the government is considering imposing them legally. IT ministry and tech executives are due to meet on Tuesday for more discussions, sources said.
Smartphone makers closely guard their source code. Apple declined China’s request for source code between 2014 and 2016, and US law enforcement has also tried and failed to get it.
India’s proposals for “vulnerability analysis” and “source code review” would require smartphone makers to perform a “complete security assessment”, after which test labs in India could check their claims through source code review and analysis.
“This is not possible … due to secrecy and privacy,” MAIT said in a confidential document drafted in response to the government proposal, and seen by Reuters. “Major countries in the EU, North America, Australia and Africa do not mandate these requirements.”
MAIT asked the ministry last week to drop the proposal, a source with direct knowledge said.
Logs
The Indian proposals would mandate automatic and periodic malware scanning on phones. Device makers would also have to inform the National Centre for Communication Security about major software updates and security patches before releasing them to users, and the centre would have the right to test them.
MAIT’s document says regular malware scanning significantly drains a phone’s battery and seeking government approval for software updates is “impractical” as they need to be issued promptly.
Read: India’s UPI shows what South Africa’s PayShap could become – if we dare
India also wants the phone’s logs to be stored for at least 12 months on the device. “There is not enough room on-device to store one-year log events,” MAIT said in the document. — Aditya Kalra and Munsif Vengattil, (c) 2026 Reuters
Get breaking news from TechCentral on WhatsApp. Sign up here.
