 |
| Image: AI Generated |
Your next iPhone or Samsung Galaxy could come with government-mandated security features that tech giants say have never been required anywhere else in the world—and they're not happy about it.
The Centre's proposal to mandate smartphone manufacturers to share source code with government-designated laboratories has met with strong opposition from major technology companies, including Apple, Samsung, Google, and Xiaomi, which have termed the requirements unprecedented and impractical.
The package of 83 security standards, part of the Indian Telecom Security Assurance Requirements, would require manufacturers to provide proprietary source code for vulnerability analysis and make several software modifications aimed at enhancing user data security. The proposals come amid rising concerns over online fraud and data breaches in India's smartphone market, which comprises nearly 750 million devices.
No global precedent, says industry
According to confidential government and industry documents reviewed by Reuters, the Manufacturers' Association for Information Technology (MAIT), which represents the major smartphone companies, has informed the government that source code disclosure is "not possible" due to corporate secrecy and global privacy policies.
"Major countries in the EU, North America, Australia, and Africa do not mandate these requirements," MAIT stated in its response to the government proposal, adding that industry has raised concerns that such security requirements have not been mandated by any country globally.
The source code requirement is particularly sensitive given that Apple declined a similar request from China between 2014 and 2016, and U.S. law enforcement agencies have also been unsuccessful in obtaining such access from technology companies.
Key proposed requirements
Beyond source code access, the proposals mandate automatic and periodic malware scanning on devices, which manufacturers warn would significantly drain battery life and slow hardware performance. Device makers would also be required to inform the National Centre for Communication Security about major software updates and security patches before releasing them to users.
MAIT has termed the requirement to seek government approval for software updates as "impractical," arguing that security fixes need to be issued promptly to protect users from active exploits.
The proposals also stipulate that devices must store security audit logs, including app installations and login attempts, for a period of 12 months. However, MAIT contends that consumer phones lack sufficient storage capacity for a year's worth of data.
Other requirements include enabling users to uninstall pre-installed applications, restricting background access to cameras and microphones, and implementing tamper-detection warnings for devices that are rooted or jailbroken.
Government open to addressing concerns
IT Secretary S. Krishnan told Reuters that "any legitimate concerns of the industry will be addressed with an open mind," adding that it was "premature to read more into it." A Ministry spokesperson declined further comment, citing ongoing consultations with technology companies.
According to sources, officials from the IT Ministry and executives from technology companies are scheduled to meet on Tuesday for further discussions on the proposed standards.
The security standards were initially drafted in 2023 but have come into focus as the government considers legally enforcing them. A December IT Ministry document detailing meetings with Apple, Samsung, Google, and Xiaomi noted that industry participants raised concerns about the lack of global precedent for such requirements.
Market implications
The proposals affect companies that dominate India's smartphone market. According to Counterpoint Research estimates, Samsung and Xiaomi—whose devices run on Google's Android operating system—hold 15% and 19% market share respectively, while Apple accounts for 5%.
This is not the first instance of friction between the government and technology firms over security requirements. Last month, the government revoked an order mandating the installation of a state-run cyber safety application on phones following concerns over surveillance. However, it proceeded with rigorous testing requirements for security cameras last year despite industry lobbying, citing concerns over Chinese espionage.
The outcome of Tuesday's discussions will likely determine whether the government proceeds with the proposed requirements or modifies them to address industry concerns about technical feasibility and international norms.