71
/
7
Min Read
The Indian government is not asking the smartphone makers to share source codes or making software changes as part of a raft of security measures.
The clarification from the Ministry of Electronics and Information Technology (MeitY) came after Reuters reported that the government was proposing the same and that it had prompted a "behind-the-scenes" opposition from firms like Apple and Samsung.
"... MeitY refutes the statement by an international news organisation that Government is proposing to force smartphone makers to share source code with the government and make several software changes as part of a raft of security measures, prompting opposition from giants like Apple and Samsung. These news reports have not quoted any statement from these smart phone manufacturers or the industry associations which represent them. Instead, they have selectively chosen to ignore the comments of industry association which clearly indicates its mischievous intent to sensationalise the news" said the IT ministry in a statement.
"...Government is fully committed to working with the industry and address their concern. That is why, the government has been engaging with the industry to better understand technical and compliance burden and best international practices which are adopted by the smart phone manufactures."
Mobile security framework
Even as the government has denied adopting any unconventional methods, there is certainly a need for a framework that addresses issues relating digital privacy of users, specifically on the mobile platform.
The ministry said: "The Government of India is continuously taking steps to ensure the safety and security of users and to protect their personal data in the rapidly evolving digital ecosystem. It remains firmly committed to strengthening cybersecurity and safeguarding the privacy of citizens.
Mobile security is a critical aspect as smartphones are increasingly used for financial transactions, delivery of public services, and storage of sensitive personal information. With over a billion mobile users in the country, smartphones today hold vast amounts of personal and financial data, making them attractive targets for cybercriminals.
Any compromise of mobile security can lead to identity theft, financial losses, privacy violations and unauthorized access to sensitive information such as banking details, photographs and login credentials." For businesses as well, the ministry noted, unsecured mobile devices pose significant risks, including data breaches and operational disruptions.
The ministry also added that it regularly holds consultations with stakeholders on safety compliance, electromagnetic interference and compatibility (EMI/EMC) parameters, Indian language support, interface requirements and security standards.
Legitimate concern?
India is one of the largest smartphone markets in the world with over 650 users. According to 80th round of the National Sample Survey (NSS), the Comprehensive Modular Survey: Telecom (CMS: T) published last year, approximately 85.5 percent of households in India possessed at least one smartphone whereas around 86.3 percent households in India have access to the internet within the household premises.
The scale also brings a lot of concerns and risks. Of late there has been a rise in security attacks on smartphone users, ranging from digital frauds, financial frauds to OTP scams. And then there are larger attacks such as malware and so on.
For instance, Albiriox, a sophisticated Android Remote Access Trojan (RAT) discovered last year. Often disguised as fake system updates or utility apps, it's capable of bypassing multi-step authentication as well. And with AI, attackers are deploying the technology to craft perfectly written and personalised smishing messages, making it difficult for businesses and individuals to distinguish between official alerts or fake ones.
Data Security Council of India (DSCI), in collaboration with Seqrite, in its second edition of the India Cyber Threat Report 2025 said that mobile devices will continue to be a major target with malware becoming more sophisticated in evading detection and exploiting mobile-specific vulnerabilities. Advanced mobile malware will integrate seamlessly with legitimate applications, making it harder for users and security solutions to identify malicious activities.
Some of the India-specific trends are "reward and "UdangaSteal" wherein trojan droppers disguises itself as loyalty and rewards app and aim to bypass security current protocols masquerading as Indian loyalty or reward apps. Once downloaded, they are capable of steak financial Apple (iOS) and then buy the companies hosting apps on these platforms.
Given the risks and increasing scams targeting businesses and individuals through smartphones, it does make sense for the government to intervene or come up with some sort of security framework. And of course, consultations are highly critical before introducing any policy.
Apeksha Kaushik, Principal Analyst at Gartner, tells Entrepreneur India that India's efforts to beef up mobile security reflect legitimate national concerns but require carefully calibrated policy approaches. Gartner predicts that through 2030, mobile application security failures will be the biggest mobile threat for enterprises, she added.
"India's push to enhance mobile security standards is a progressive step that could position the country as a global leader in digital trust, provided it is executed with transparency and industry collaboration. Smartphone companies hold substantial responsibility for mobile security, yet vulnerabilities persist, necessitating continuous improvement. Governments should work collaboratively with industry to strengthen security standards and develop a balanced, transparent regulatory framework. Fostering trust, accountability and secure innovation is critical to ensuring the resilience of the mobile ecosystem" she explained.
Though, there have been apprehensions in the industry since controversies related to the Sanchar Saathi and Pegasus spyware. Would giving source codes have created fresh privacy concerns?
A SFLC spokesperson explains, "No, there is no privacy issue per se with providing source codes for review. The Sanchar Saathi app puts users at higher risk by placing large quantities of their sensitive data accessed through overbroad system permissions on the servers of a single application. Pegasus was spyware that could conduct surveillance of citizens. In this situation, handing over source code for review, similar to an exercise which already takes place under the Android Open Source Project (ASOP) for example, will not raise privacy concerns.
"Government intervention must be balanced with rigorous consultation processes involving not just industry bodies, but also civil society organisations, experts, academics and other stakeholders. Transparent, open, extensive consultations would ensure that any intervention made would be in the best interests of the country and citizenry as a whole, while balancing the security and development," the spokesperson said in a statement to Entrepreneur India.
Having said that, it's a welcome move that the government has clarified that it's not taking up unorthodox means, but there is definitely a need for a better security framework for phone users. After all, India's one of the largest mobile markets and manufacturers. Just this day, Business Standard reported that Apple's exports of iPhone from India crossed INR 2 trillion ( nearly USD 23 billion) in 2025, highest ever. Securing digital trust for India's billion-plus mobile users will definitely need the government, smartphone industry and other stakeholders to collaboratively establish a balanced, transparent regulatory ecosystem.
The onus is also on the players in the smartphone industry to ensure users' privacy.
The SFLC spokesperson adds: "OEMs/ smartphone companies definitely have the responsibility to develop secure architecture, provide updates to protect against discovered vulnerabilities and undertake mechanisms to minimize the potential for abuse of their device. They should also notify users with tips to secure devices from known vulnerability.
Accountability for hardware security must lie with the companies involved in development as hardware security is built into the physical components of the device, these components use designs to keep data safe within the device unlike software security which is relatively easier to bypass. OEMs/smartphone companies should also have the responsibility to keep a check on the supply chain providers from incorporating malicious softwares/components during production.
"For instance Apple and Google have regularly issued emergence updates to address zero-day vulnerabilities detected on their devices. Under the Android Open Source Project (ASOP) Google releases source codes, developers and users can participate by submitting code, reporting bugs or proposing new features to strengthen security. But recently Google announced that the source code will be released only twice a year from quarterly releases."
This article was originally
published by the 
