Source The Hindu
NEW DELHI – In a move that has sent ripples through the global tech industry, the Government of India has proposed a sweeping new security framework that could require smartphone manufacturers to share their proprietary source code for rigorous security testing.
The proposal, part of a draft of the Indian Telecom Security Assurance Requirements (ITSAR), aims to curb the rising tide of cyber fraud, data breaches, and state-sponsored spying. However, it has met with immediate and significant pushback from tech giants like Apple, Samsung, Google, and Xiaomi.
Key Proposals in the Security Overhaul
The government’s plan includes 83 new security standards designed to ensure that mobile devices sold in the world’s second-largest smartphone market are “clean” and secure. The most controversial measures include:
Source Code Disclosure: Manufacturers would be required to provide the underlying programming instructions (source code) of their operating systems to government-designated labs for vulnerability analysis.
Pre-installed App Control: Every pre-installed application, except for core system functions, must be deletable by the user.
Background Permission Blocks: Apps would be strictly prohibited from accessing cameras, microphones, or location services while running in the background, unless explicitly active and visible to the user.
One-Year Log Retention: Devices must store security audit logs—including login attempts and app installations—for 12 months for potential forensic review.
Prior Notification of Updates: Companies would need to inform the National Centre for Communication Security (NCCS) about major software updates and security patches before they are released to the public.
Industry Resistance: “Not Possible”
Major smartphone brands, represented by the industry body MAIT, have expressed deep concern over the feasibility of these rules. In private consultations, companies have argued that sharing source code is “not possible” due to the extreme risks it poses to intellectual property and global corporate secrecy.
“There is no global precedent for requiring the disclosure of proprietary source code for consumer electronics,” a source familiar with the discussions noted. “This could inadvertently create new security risks if that code were ever leaked from the testing labs.”
Tech firms also warned that mandatory pre-release testing of security patches could leave Indian users vulnerable for longer periods, as manufacturers often need to push out “day-zero” fixes immediately to stop active exploits.
The Government’s Stance
The Ministry of Electronics and Information Technology (MeitY) maintains that these measures are essential for national security. Officials point to a sharp rise in cybercrime, with government data showing that over 2.2 million cybersecurity incidents were reported in India in 2024 alone.
IT Secretary S. Krishnan recently stated that the government is open to dialogue but focused on protecting the 750 million smartphone users in the country. “Any legitimate concerns of the industry will be addressed with an open mind,” he said, though he added that it is “premature” to dismiss the security benefits of the proposal.
What Happens Next?
The government and tech executives are scheduled to meet for further high-stakes discussions on Tuesday, January 13, 2026. While the industry body ICEA has described the talks as “routine and transparent,” the outcome will determine whether India sets a new, more restrictive standard for mobile security that other nations might follow—or if the “Great Wall of Regulation” will force a shift in how global tech giants operate within the subcontinent.
