India’s Proposed Smartphone Security Overhaul Sparks Debate Over Source Code Access
New Delhi, January 12, 2026 — The Indian government is considering a significant set of security measures for smartphones that could require manufacturers such as Apple, Samsung, Google, and Xiaomi to share their proprietary source code — the underlying programming instructions powering device operating systems like iOS and Android — with authorities for vulnerability checks.
According to an exclusive Reuters report published on January 11, 2026, the proposals form part of a broader package of 83 security standards outlined in the Indian Telecom Security Assurance Requirements (ITSAR), initially drafted in 2023 by the National Centre for Communication Security under the Department of Telecommunications. The government is now evaluating whether to enforce these standards legally, amid rising concerns over online fraud, data breaches, and cybersecurity threats in India’s massive smartphone market, which boasts nearly 750 million active devices — the world’s second-largest after China.
Core Elements of the Proposed Requirements
The draft standards aim to enhance user data protection through several key mandates:
- Source code review — Manufacturers would need to conduct a “complete security assessment” of their devices, with government-designated labs in India permitted to access and analyze the source code to identify potential vulnerabilities that could be exploited by attackers.
- Pre-notification of updates — Companies must inform authorities about major software updates and security patches in advance, allowing the government to test them before public release.
- Software and privacy controls — Devices would require features like automatic and periodic malware scanning, the ability for users to uninstall pre-installed apps (bloatware), and restrictions preventing apps from accessing cameras or microphones in the background without explicit permission, to curb malicious activity.
- Additional logging — Some proposals suggest retaining system activity logs for up to 12 months, though industry sources have noted that many devices lack sufficient storage for this.
These measures are framed as part of Prime Minister Narendra Modi’s push to strengthen digital security and protect personal and financial data in an increasingly digitized economy.
Strong Industry Opposition
Smartphone makers and their representatives have voiced significant concerns during closed-door consultations. Industry group MAIT (Manufacturers’ Association for Information Technology), which includes major players like Apple and Samsung, described the source code access requirement as “not possible” due to risks to secrecy, privacy, and intellectual property. Confidential documents reviewed by Reuters highlight worries that no other major markets — including the EU, North America, Australia, or Africa — impose similar obligations.
Critics argue that mandating source code sharing could:
- Expose trade secrets and proprietary technology.
- Compromise global device security if code leaks occur.
- Delay critical security patches, potentially leaving users more vulnerable.
Meetings between IT Ministry officials and tech executives took place in December 2025, with further discussions scheduled for January 13, 2026. IT Secretary S. Krishnan emphasized that “any legitimate concerns of the industry will be addressed with an open mind,” describing the talks as premature for firm conclusions.
Government Response and Clarifications
Following the Reuters publication, the Ministry of Electronics and Information Technology (MeitY) issued a statement late on January 11, 2026, refuting claims that it is actively seeking or mandating source code from smartphone makers. The ministry described the ongoing process as “routine” stakeholder consultations to develop a “robust regulatory framework for mobile security,” aimed at understanding technical challenges and compliance burdens.
The PIB Fact Check unit labeled reports of forced source code sharing as fake, while confirming that discussions on broader mobile security standards are underway. Officials stressed that no final mandates have been issued and that feedback from industry will shape any eventual policy.
Broader Implications and Historical Context
This is not the first time India’s government has clashed with tech firms over security and surveillance concerns. Recent examples include rigorous testing requirements for security cameras (over fears of foreign spying) and a now-revoked mandate for pre-installing a state cyber-safety app. Smartphone companies have historically resisted source code demands — Apple, for instance, refused similar requests from China and U.S. authorities in past years.
The proposals remain in the consultation phase, with no enacted rules yet. The outcome could influence how global tech giants balance national security priorities with innovation, intellectual property protection, and user privacy in one of the fastest-growing digital markets.
As talks continue, the debate highlights the tension between sovereign cybersecurity goals and the realities of a highly competitive, interconnected global tech ecosystem. The coming weeks will likely determine whether India presses forward with stricter measures or opts for a more collaborative approach.
About The Author
