India proposes smartphone source-code reviews and tighter security rules

The Indian government has circulated a draft of sweeping Telecom Security Assurance Requirements that would force smartphone manufacturers to open proprietary source code to government-approved testing laboratories in India for review and vulnerability analysis. The proposal, presented to major device makers and industry representatives in recent meetings, also tightens rules on pre-installed apps, background access to cameras and microphones, and software update notifications.

At the center of the draft is a mandate for what the ministry describes as a complete security assessment. Government-designated laboratories would be empowered to verify manufacturers’ claims by reviewing and testing source code and running vulnerability analyses. The proposal further instructs makers to allow users to uninstall pre-installed apps and seeks to limit apps’ ability to access cameras and microphones while running in the background in order to "avoid malicious usage." Elements of the draft would require companies to notify the government before rolling out major software updates.

Officials frame the measures as part of a broader effort to curb online fraud, scams and data breaches across India’s vast mobile ecosystem. The ministry cites the need to secure digital transactions and protect user data for nearly 750 million mobile users who, it says, face growing fraud and breach risks. Proponents argue that on-device security assessments and local testing capacity will close gaps in a market where diverse hardware and software configurations complicate oversight.

The proposals have prompted strong resistance from manufacturers and their trade group. Apple, Samsung, Google and Xiaomi, among others, have raised objections in formal discussions with the ministry and in private talks. The Manufacturers’ Association for Information Technology filed formal remarks, arguing that the source-code requirement is "not possible ... due to secrecy and privacy" and warning that mandatory disclosure of proprietary code would expose intellectual property and commercial secrets. MAIT also noted that many jurisdictions in Europe, North America, Australia and parts of Africa do not impose similar obligations.

Industry concerns extend beyond intellectual-property risk. Manufacturers argue that giving a government body access to sensitive source code could harm supply-chain confidentiality and complicate global release cadences. They also seek clear legal safeguards for any code reviewed, accreditation standards for the designated laboratories, and firm procedures for handling proprietary information. The draft available for discussion does not, in current reporting, specify those protections in operational detail.

Ministry officials have met repeatedly with device makers and industry groups to debate the draft’s scope and implementation. Key unresolved questions include which portions of source code would be subject to review, how labs would be accredited and governed, what legal and commercial protections would apply to reviewed material, and the timeline for enforcement. It is also unclear how the government would reconcile national security and consumer-protection objectives with manufacturers’ demands for confidentiality.

The debate sets up a test case in the global tension between state-led cybersecurity demands and commercial claims of proprietary secrecy. As talks continue in New Delhi, the ministry faces pressure to refine safeguards and timelines while companies press for alternatives that protect intellectual property without undermining national security goals. It remains uncertain when, or if, the draft will be finalized into binding regulation.