India Telecom Security Rules Spark Talks on Smartphone Source Code Access

The Government of India has begun a new round of discussions with smartphone manufacturers over security standards for mobile phones, shifting the responsibility for these talks from the Department of Telecommunications to the Ministry of Electronics and Information Technology, commonly known as MeitY.

Officials said the move is linked to the Indian Telecom Security Assurance Requirements, or ITSAR, a framework designed to strengthen the security of telecom networks and communication devices. The standards were developed by the National Centre for Communication Security under the Department of Telecommunications.

According to official sources, MeitY is now authorised to handle safety and security issues related specifically to mobile phones and other communication devices, while the broader telecom network aspects remain under the telecom department.

Industry representatives have sought to play down concerns, describing the discussions as part of a routine consultation process between the government and technology companies. Mobile phone manufacturers say no binding orders have been issued so far.

“Based on the ITSAR standard, MeitY has been authorised to handle safety issues related to mobile phones, and there is a smooth conversation going on with industry players,” one official source said, adding that the process had only just begun.

MeitY has already held several meetings with smartphone makers and electronics companies to discuss compliance, software security, and possible technical requirements under the framework.

The India Cellular and Electronics Association, which represents companies including Apple, Samsung suppliers, Xiaomi, Vivo, and domestic manufacturers, said consultations on safety standards had been ongoing for several years.

“It is completely normal for the government to engage industry in such discussions, ask technical and compliance questions, and for the industry to respond with international practices and what might be possible or not,” the association’s chairman, Pankaj Mohindroo, said. He added that the process was open and transparent, with no immediate cause for concern.

However, the consultations have attracted global attention following reports that the government is considering far-reaching security measures that could require smartphone makers to share source code and notify authorities of major software updates.

According to people familiar with the discussions and a review of government and industry documents, the proposed package includes 83 security standards. Among the most sensitive is a requirement for access to source code, the underlying programming that makes smartphones function.

Technology companies have argued that such requirements have no clear global precedent and could expose proprietary information. Firms including Apple, Samsung, Google, and Xiaomi have raised objections in meetings with Indian officials, though most have declined to comment publicly.

India’s IT Secretary, S. Krishnan, told Reuters that the government was open to hearing industry concerns and that it was too early to draw conclusions while consultations were still under way.

The proposals are part of a broader effort by Prime Minister Narendra Modi’s government to strengthen digital security as online fraud, data breaches, and cybercrime increase in India, which is now the world’s second-largest smartphone market with an estimated 750 million devices in use.

Beyond source code access, the proposed standards would require smartphone makers to allow users to uninstall pre-installed applications and block apps from using cameras or microphones in the background without permission. The rules also envisage automatic malware scanning and advance notification to the National Centre for Communication Security before major software updates or security patches are released.

Industry groups have warned that several of these measures may be impractical. The Manufacturers’ Association for Information Technology, which represents many global technology firms, said in a confidential document that regular malware scanning could significantly drain battery life.

The association also argued that seeking government approval or prior notification for software updates could delay the release of urgent security patches. It said storing detailed system logs on devices for at least 12 months, another proposed requirement, could be difficult due to storage limitations.

“This is not possible due to secrecy and privacy,” the association said in its response, noting that major economies in Europe, North America, and Australia do not mandate such requirements.

Government requirements in the technology sector have previously faced resistance. Last year, authorities withdrew an order mandating the installation of a state-run cyber safety application on smartphones after concerns were raised about surveillance. In other cases, however, the government has pressed ahead, including imposing strict testing rules for security cameras over fears of espionage.

Market data from Counterpoint Research shows that Xiaomi and Samsung together account for more than a third of India’s smartphone market, while Apple holds a smaller but growing share.

Context

The outcome of the consultations could have significant implications for India’s digital ecosystem, foreign investment, and relations with global technology firms. While the government argues that stronger oversight is necessary to protect users and national security, companies warn that excessive requirements could disrupt innovation and set a precedent that few other countries follow.

With further meetings scheduled between government officials and technology executives, including discussions expected later this month, the balance India strikes between security, privacy, and commercial interests is likely to shape the future of its smartphone market.