India is weighing sweeping smartphone security standards that could require Apple, Samsung, Google and Xiaomi to submit source code for review—part of a broader telecom cybersecurity crackdown aimed at stopping fraud, scams and data breaches.
NEW DELHI — January 11, 2026 — India is considering a major overhaul of smartphone security rules that would force device makers to share source code for government review and redesign how phones handle sensitive permissions, pre-installed apps and software updates. The proposals—reported today in Reuters coverage—have triggered strong industry opposition from major brands and the manufacturers’ group MAIT, setting up a high-stakes policy fight over cybersecurity vs. proprietary technology and privacy.
At the same time, India’s Department of Telecommunications (DoT) has already been tightening the broader telecom security ecosystem through its Telecommunication Cyber Security (TCS) Amendment Rules, 2025, which officials say are now “in force and enforceable” and are designed to curb telecom-enabled fraud such as identity misuse and illicit device circulation.
Key takeaways for readers
- India is proposing 83 smartphone security standards that include source code disclosure to government-designated labs, on-device malware scanning, one-year log retention, tighter controls on background access to camera/mic/location, and rules affecting updates and rollbacks.
Global brands and MAIT argue that mandatory source-code sharing and certain operational requirements have no global precedent and could introduce practical issues like battery drain, storage constraints, and slower security patch rollouts if approvals are required.
India’s telecom authorities are simultaneously building a wider anti-fraud framework, including tools like a Mobile Number Validation (MNV) platform and mandatory IMEI “scrubbing” for resale devices. These developments are unfolding as the government cites rising online fraud and security risks in one of the world’s largest smartphone markets.
What India is proposing: a sweeping “Telecom Security Assurance” rulebook for smartphones
According to Reuters reporting published Sunday (January 11), India is weighing proposed Telecom Security Assurance Requirements for smartphones—an 83-point package that would require manufacturers to implement new controls and submit sensitive technical material for review.
The most controversial piece: source code disclosure
At the center of the dispute is a proposal requiring phone makers to test and provide proprietary source code for review at government-designated labs, intended to identify vulnerabilities that attackers could exploit.
Reuters also notes that source code requests have historically met resistance from major companies—citing prior refusals and attempts by governments to obtain such access.
The “privacy and control” measures: less background spying, more user visibility
The proposed rules go well beyond code review. Among the key changes described today:
- Background permission restrictions: apps would be blocked from using camera, microphone, or location services in the background when the phone is inactive, paired with persistent status indicators when those permissions are in use.
Permission review prompts: devices would periodically prompt users to review app permissions, with industry arguing such alerts should be limited to only the most critical permissions.
Pre-installed apps must be removable: all bundled apps except those essential to basic phone function would need to be deletable.
If implemented as described, these changes would directly reshape how millions of Indians experience smartphones—particularly around “always-on” background access and bundled “bloatware.”
The “security enforcement” measures: logs, malware scanning and update oversight
Other proposed requirements—also highlighted by Reuters—could materially affect device performance and update cycles:
- One-year log retention: phones would have to store security audit logs for 12 months, including activity such as installations and logins.
Periodic malware scanning: mandatory on-device scanning to identify potentially harmful apps.
Government notification before major updates: manufacturers would need to notify a government organization before releasing major updates or security patches; Reuters notes the National Centre for Communication Security would have the right to test them.
Tamper warnings and anti-rollback: requirements including detecting rooted/jailbroken devices and preventing installation of older software versions even if officially signed—intended to stop “security downgrades.”
Why Apple, Samsung, Google and other makers are pushing back
The opposition is being led (behind the scenes, per Reuters) by major manufacturers and MAIT, the industry group representing brands including Apple, Samsung, Google and Xiaomi.
Industry objections, in plain English
Based on the Reuters reporting, the pushback falls into three main buckets:
- Trade secrets and privacy concerns: companies argue source code is closely guarded IP and that forced disclosure is incompatible with secrecy obligations and global privacy policies.
Practical feasibility: firms warn that always-on scanning can drain battery and slow devices, and that storing a year’s worth of logs may not be realistic on consumer hardware.
Update speed vs. bureaucracy: manufacturers argue that security patches must be released rapidly, and any pre-approval or extended testing requirement could delay fixes—potentially leaving users exposed. Reuters also reports that the tech ministry says consultations are ongoing and that industry concerns will be heard.
Why the government is doing this now: India’s expanding anti-fraud and cyber-resilience agenda
The smartphone proposal is not happening in a vacuum. It sits alongside broader moves to harden India’s telecom and digital ecosystem.
The TCS Amendment Rules, 2025: “telecom identifiers” become a cybersecurity battleground
In a November 27, 2025 press release, the DoT said it amended the Telecommunication Cyber Security (TCS) Rules, 2024 on October 22, 2025 to address vulnerabilities that emerged as mobile numbers and device identifiers became embedded in everyday digital services like banking and e-commerce.
The DoT highlighted two notable frameworks:
- Mobile Number Validation (MNV) platform: a mechanism enabling service providers to validate whether a number genuinely belongs to the person on record (aimed at curbing identity misuse and “mule account” fraud).
Resale device “scrubbing” (IMEI checks): entities dealing in resale/refurbished devices must verify IMEI numbers against a central database of blacklisted devices before resale, intended to reduce circulation of stolen/cloned phones and protect buyers. Officials framed these as steps to strengthen device traceability and combat telecom-enabled fraud while balancing innovation and privacy.
Telecom security reforms for 2026: testing capacity and “ease of doing business”
Separately, the government has signaled it wants security assurance without choking industry. In a December 29, 2025 PIB release, the Ministry of Communications said Union Minister Jyotiraditya Scindia announced reforms implemented through the National Centre for Communication Security (NCCS), including extending a Pro Tem Security Certification Scheme (from January 1, 2026 for two years), reducing application fees for security testing labs, and simplifying certification requirements for certain equipment classes.
This matters because any smartphone rulebook that involves labs and testing will require significant certification capacity—and the government appears to be expanding that ecosystem.
A crucial detail: India’s telecom security standards already envision source-code review (for certain systems)
One reason today’s smartphone proposals have sparked such a strong reaction is that “source code review” is seen as a red line for many manufacturers. But within India’s existing telecom security documentation, source-code review is not an entirely new concept.
A published NCCS ITSAR document on operating system security requirements states that source code shall be made available at a Telecom Security Testing Laboratory (TSTL) or another mutually agreed location for review by the designated TSTL, supported by a Software Test Document.
That doesn’t automatically mean the same process should apply to consumer smartphones in the exact way proposed today—but it helps explain why officials may see code access as a legitimate security assurance mechanism, while manufacturers view it as an unacceptable expansion.
What this could mean for India’s 750-million-phone market
Reuters describes India as the world’s second-largest smartphone market with nearly 750 million phones, and notes that leading Android brands Xiaomi and Samsung hold significant market share, with Apple smaller but growing.
If the proposed requirements become law, the real-world impact could play out across five fronts:
1) Security and privacy: potentially stronger controls, but also new trust questions
On paper, limiting background access to the microphone/camera and making permission activity visible could meaningfully reduce “silent” surveillance by malicious or overly invasive apps.
But source-code access and pre-notification of updates could also create new questions about oversight, confidentiality and whether sensitive information could leak or be misused—concerns that are often raised whenever governments seek deeper access into device software.
2) Updates: could they get slower—or more robust?
A central tension is speed vs. assurance. Industry says patches must ship quickly; the proposal includes government notification and potential testing rights.
If processes are streamlined, this could lead to higher assurance without big delays. If not, it could become a bottleneck during active exploitation windows.
3) Performance trade-offs: storage and battery concerns
Mandatory scanning and 12-month log retention are precisely the type of requirements that can impact day-to-day usability—battery life, storage, and sometimes device responsiveness. Companies have raised those feasibility concerns.
4) Product launches and “India-first” variants
If certification timelines expand or require additional local testing cycles, India-specific builds or staggered launch timelines could become more common—especially for new OS versions or feature updates.
5) Consumer rights: the end of non-removable bloatware?
One of the most consumer-friendly proposals is the requirement that pre-installed apps (other than essential functions) be removable. If enforced well, that could reduce unwanted apps and potentially improve privacy and storage for users.
“Making the rules work” for a billion users: the implementation challenge
The biggest question isn’t just what’s written in standards—it’s how they’re enforced.
A consumer-focused paper from CUTS (Centre for Consumer Unity & Trust Society) warns that while telecom cyber resilience rules aim to improve security, they can also introduce accessibility, affordability and trust risks if they lead to inconsistent implementation or user-facing friction in digital services.
And while the full text is not accessible here, the existence of a January 2026 policy analysis titled “Ensuring the new telecom cyber security rules work better for a billion users” reflects how central the “implementation layer” has become in India’s telecom-security debate.
What happens next: timelines, consultations and the “Tuesday meeting” to watch
Reuters reports that the security standards were drafted in 2023 but have now moved into the spotlight as India considers making them legally enforceable, with further discussions between the government and tech executives expected this week.
What to watch in the coming days:
- Whether India publishes clearer public consultation drafts spelling out scope (which devices, which OS layers, which labs).
- Whether “source code access” is narrowed to on-site review, escrow arrangements, or other mechanisms designed to reduce IP exposure.
- How “notify government before major updates” would work during emergency patch cycles.
Practical steps for smartphone users right now
Regardless of what India ultimately adopts, these habits reduce risk today:
- Keep your device on the latest security patch level and enable auto-updates.
- Review app permissions (especially camera, microphone, location, SMS) and revoke anything unnecessary.
- Remove unused apps and avoid sideloading from unknown sources.
- Use strong device unlock methods (PIN + biometrics where available) and enable account-level 2FA.
Bottom line
India is signaling a new era of hardware-and-software security regulation where smartphones are treated as critical infrastructure endpoints. The question now is whether policymakers can achieve stronger protections against fraud and breaches without creating new risks—like code exposure, slower updates, or degraded device performance—on which both consumers and the broader digital economy depend.
