India’s plan to inspect smartphone source code provokes industry resistance

India is pushing a sweeping overhaul of smartphone security that would require manufacturers to submit proprietary operating-system and related source code to government-designated testing laboratories in India for full security assessments. The draft package, circulated by the IT ministry and described in one document as the “Telecom Security Assurance Requirements,” was drafted in 2023 and is under active consideration for legal enforcement.

Central to the proposal is a mandate for a complete security assessment. Designated labs would be empowered to review source code, run vulnerability analyses and verify manufacturers’ security claims. The draft reportedly comprises a broad set of technical and process controls, sometimes quantified in reporting as 83 standards. Other measures under consideration include forcing manufacturers to allow users to uninstall pre-installed apps, restricting apps’ ability to access cameras, microphones and location services while phones are idle or running in the background, and requiring continuous status-bar notifications when those permissions are active. Companies would also be required to notify the government before rolling out major software updates, and the draft calls for additional hardware and software safeguards whose precise scope was not specified in the circulated texts.

Government officials have presented the measures as a response to widespread online fraud, scams and data breaches affecting India’s mobile users. The ministry frames the rules as necessary to secure digital transactions and protect user data for nearly 750 million mobile subscribers who, officials say, face growing risks. Proponents argue that on-device security assessments and building local testing capacity will close oversight gaps that arise from India’s diverse hardware and software ecosystem.

The proposal has prompted immediate pushback from manufacturers and industry groups. MAIT, the Manufacturers’ Association for Information Technology, which represents major vendors including Apple, Samsung, Google and Xiaomi, told the government in a confidential response that source-code disclosure and the proposed “vulnerability analysis” and “source code review” requirements are "not possible … due to secrecy and privacy." Industry representatives have argued the package lacks global precedent and risks exposing proprietary details, noting in ministry meeting records that "major countries in the EU, North America, Australia and Africa do not mandate these requirements."

Those objections echo earlier disputes over source-code access. Reporting cited past episodes in which Apple declined to provide source code to China between 2014 and 2016, and in which U.S. law enforcement has at times failed to obtain similar proprietary code. Industry leaders have warned that mandatory disclosure could undermine intellectual property protections and commercial secrecy while complicating global supply chains and software ecosystems.

Government and industry officials have held several meetings, and a December IT ministry document recorded industry feedback on the draft. Officials and technology executives are due to meet again on Tuesday for further discussions, according to meeting schedules. Spokespeople for the ministry have signaled they will address industry concerns even as they push to strengthen domestic testing capacity.

The debate pits national security and consumer-protection aims against commercial confidentiality and global regulatory norms. As the government weighs formal adoption and potential legal force, manufacturers and regulators will need to reconcile competing priorities that will shape how billions of devices operate and how user data is protected in India’s vast mobile market.