India Considers Requiring Smartphone Makers to Share Source Code in Security Overhaul
India is considering sweeping new security rules that would require smartphone manufacturers to share their source code with the government and implement a series of software changes, triggering behind-the-scenes pushback from major global technology companies, including Apple and Samsung.
Under the proposed framework, smartphone makers would be required to comply with 83 security standards. These measures would also include obligations to notify the government about major software updates. Technology firms have argued that the proposals lack any global precedent and could expose highly sensitive proprietary information, according to people familiar with the discussions and a review of confidential government and industry documents.
The initiative is part of Prime Minister Narendra Modi’s broader push to strengthen user data security amid a rise in online fraud and data breaches in India, the world’s second-largest smartphone market, which has nearly 750 million devices in use.
India’s IT Secretary, S. Krishnan, said on Saturday that any legitimate concerns raised by the industry would be considered with an open mind, adding that it was too early to draw firm conclusions about the proposals.
A spokesperson for the ministry said it could not provide further comment due to ongoing consultations with technology companies.
In a later statement, the IT ministry said the consultations were aimed at developing “an appropriate and robust regulatory framework for mobile security,” adding that it routinely engages with industry participants to better understand technical and compliance challenges. The ministry also denied that it was seeking access to smartphone source code, without elaborating further or addressing the documents cited in the discussions.
Ongoing Tensions Over Government Requirements
Major technology firms, including Apple, Samsung, Google, Xiaomi, as well as MAIT—the Indian industry body representing many of these companies—did not issue public responses to requests for comment.
India’s regulatory requirements have previously caused friction with technology companies. Last month, the government withdrew an order mandating the installation of a state-backed cyber safety application on phones following concerns over surveillance. However, officials have also shown willingness to stand firm, as seen last year when the government required stringent testing of security cameras over fears of foreign espionage.
Market data shows that Xiaomi and Samsung—whose devices run on Google’s Android operating system—account for roughly 19% and 15% of India’s smartphone market, respectively, while Apple holds about 5%.
One of the most sensitive elements of the proposed Indian Telecom Security Assurance Requirements is access to source code—the core programming instructions that power smartphones. According to the documents, this code would be reviewed and potentially tested at designated laboratories in India.
The proposals would also require software changes allowing users to uninstall pre-installed applications and restrict apps from accessing cameras and microphones in the background, in order to prevent malicious use.
Industry representatives have raised concerns that such security requirements have not been mandated by any other country globally, according to a government document summarizing meetings held in December with major smartphone makers.
Although the security standards were drafted in 2023, they have gained renewed attention as the government considers making them legally binding. Additional discussions between government officials and technology executives are expected to continue.
Companies Push Back on Source Code Access
Smartphone manufacturers closely guard their source code, viewing it as among their most valuable intellectual property. Previous attempts by governments in other countries to obtain such access have been unsuccessful.
India’s proposals for “vulnerability analysis” and “source code review” would require device makers to conduct comprehensive security assessments, after which government-designated laboratories could verify the claims by reviewing and analyzing the source code.
