India’s proposed smartphone security rules have signalled a growing standoff between the government and global technology companies, with leading manufacturers and industry bodies flagging serious concerns over the draft framework. Apple, Samsung and other major smartphone makers have cautioned that, in their current form, the rules could disrupt software updates, affect user privacy and create complex global compliance challenges.
The draft norms, currently under discussion between the government and industry stakeholders, aim to significantly expand regulatory oversight of smartphone software, data handling and system integrity. According to government and industry documents cited by Reuters, the proposals include provisions that could directly alter how smartphones are designed, updated and monitored in India. Industry representatives argue that several of these requirements diverge from global practices and are difficult to implement in real-world conditions.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Strong opposition to source code submission
One of the most contentious proposals requires smartphone manufacturers to submit their proprietary operating system source code to government-approved laboratories for security testing. The government has argued that such scrutiny would help identify vulnerabilities that cyber attackers could exploit, thereby strengthening national digital security.
However, electronics industry body MAIT has strongly opposed the move, stating that sharing source code is incompatible with strict corporate confidentiality obligations and international privacy frameworks. Companies fear that exposing proprietary code could jeopardise intellectual property and complicate legal compliance across multiple global markets.
Concerns over advance notice for updates
The draft rules also propose that manufacturers must notify a designated government authority before rolling out major system updates or security patches. Smartphone makers have described this requirement as impractical, noting that security vulnerabilities often need to be addressed immediately to protect users from active cyber threats. Any delay caused by regulatory procedures, they warn, could leave millions of devices exposed.
In addition, the framework calls for the permanent blocking of older operating system versions, even if they are officially signed and verified. Industry executives say there is no global precedent for such a mandate and caution that it could severely complicate device lifecycle management.
App permissions and user alerts under scrutiny
Tighter controls on app permissions form another key pillar of the proposed framework. Under the draft rules, applications would be barred from accessing sensitive features such as the camera, microphone or location services when devices are idle. Persistent status bar indicators would also be mandatory to alert users whenever such access is active.
While companies broadly support greater transparency for users, they have raised concerns about the absence of clearly defined testing standards for these requirements. The framework also proposes periodic prompts asking users to review app permissions. Manufacturers argue that excessive notifications could overwhelm users and reduce effectiveness, and that alerts should be limited to highly critical permissions.
Data retention and malware scanning worries
Under the proposals, smartphones would be required to retain detailed security logs — including app installation histories and login activity — for up to one year. Industry bodies have warned that most consumer devices, particularly in the budget and mid-range segments, do not have sufficient storage capacity to support such extensive data retention.
Mandatory and periodic malware scans have emerged as another flashpoint. Manufacturers caution that continuous scanning could degrade device performance and significantly drain battery life, while offering limited incremental security benefits.
Root detection and pre-installed apps debated
The draft rules also require smartphones to detect rooted or “jailbroken” states and display continuous warnings advising users to take corrective action. Companies have questioned the technical feasibility of this requirement, arguing that there is no fully reliable method to detect all forms of system modification.
Another proposal mandates that all pre-installed apps — except those essential for core phone operations — must be removable. Manufacturers counter that many bundled apps are deeply integrated into system architecture, and forcing their removal could affect device stability and security.
Industry calls for balanced approach
Amid the pushback, some industry representatives have adopted a more measured tone, noting that discussions on smartphone security standards have been ongoing for several years. They have emphasised that government–industry engagement is a normal and transparent process, and expressed confidence that a workable consensus can be achieved through continued dialogue.
For policymakers, the challenge lies in striking a balance between national security and consumer protection on one hand, and innovation, privacy and the operational realities of global smartphone manufacturing on the other. As consultations continue, the final shape of India’s smartphone security rules will be closely watched by both industry and consumers, given the country’s position as one of the world’s largest mobile device markets.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
