India’s Smartphone Source Code Proposal Faces Pushback

India’s plan to mandate that smartphone manufacturers share their source code and implement various software modifications, as part of new security measures, has sparked significant opposition from major tech companies like Apple and Samsung.

These companies have argued that the proposed 83 security standards—one of which would require informing the government of significant software updates—are unprecedented globally and could potentially expose sensitive data, based on insights from a review by Reuters of confidential government and industry documents, along with discussions among four informed individuals.

This initiative is part of Prime Minister Narendra Modi’s strategy to enhance user data security in light of increasing online fraud and data breaches within India’s vast smartphone market, which boasts around 750 million devices.

IT Secretary S. Krishnan commented that the government would address any legitimate industry concerns fairly, though he emphasized that it was premature to overanalyze the situation. A spokesperson for the ministry declined to provide further details as the proposal is still under discussion with tech companies.

Major brands, including Apple, Samsung, Google, Xiaomi, and the Indian industry group MAIT that represents them, did not respond to inquiries for comment.

In the past, India’s stipulations have raised alarms among technology firms. Recently, the government revoked a requirement for a state-run cybersecurity app on mobile devices, citing surveillance worries. Last year, however, it chose to impose tighter inspections of surveillance cameras despite lobbying attempts, linking it to espionage risks from China.

According to Counterpoint Research, Xiaomi captures 19% of India’s market share, while Samsung holds 15%, and Apple stands at 5%.

One particularly contentious aspect of the new telecommunications security requirements is the call for access to source code, which contains the essential programming instructions for devices. This would be evaluated and potentially tested at a designated laboratory in India.

The Indian mandate also stipulates that companies must enable users to uninstall pre-installed applications to prevent malicious uses and adjust software to prevent apps from utilizing the camera or microphone without permission.

A document from the IT ministry from December documented a meeting with officials from major companies, stating that industry representatives expressed concerns about the lack of global precedents for such security requirements.

The forthcoming security standards set for 2023 are currently under scrutiny, and discussions are underway about potentially making them legally binding. Industry executives and the IT ministry are scheduled to convene again for discussions soon.

Smartphone manufacturers are generally protective of their source code; Apple, for instance, declined to share its source code with China when requested. There were also unsuccessful attempts by U.S. law enforcement to access it.

India’s proposals on “vulnerability analysis” and “source code review” would necessitate comprehensive security evaluations, allowing Indian testing agencies to verify the claims made by smartphone manufacturers through source code analysis.

MAIT, in a confidential document following the government proposal, raised concerns about the feasibility of these requirements, noting that major regions like the EU, North America, Australia, and significant African nations do not impose comparable mandates.

MAIT recently requested the ministry to withdraw the proposal, according to sources.

The Indian proposal also entails automatic and regular scans of devices for malware. Manufacturers would be required to inform the National Communications Security Center of major software updates and security patches prior to their public release, allowing the center to conduct testing.

According to MAIT’s document, frequent malware scans could drain battery life, and the need for swift software updates makes it unrealistic to seek pre-approval from the government.

Additionally, India intends to store mobile phone logs—digital records of system activities—for a minimum of 12 months.

MAIT expressed concern that storing a year’s worth of log events on devices is impractical due to limited storage capacity.