India instructs smartphone manufacturers to include government-approved cyber safety app on new devices

India has issued a directive requiring all new smartphones to come pre-installed with a government-operated cybersecurity application, raising concerns about privacy and surveillance. The directive, passed last week and made public on Monday, gives phone manufacturers 90 days to include the Sanchar Saathi app on all new devices, stating that its "functionalities cannot be disabled or restricted."

The government says the app is intended to help users verify the authenticity of a mobile device and report potential misuse of telecom resources. With over 1.2 billion mobile users, India is one of the largest smartphone markets in the world. However, cybersecurity experts have criticized the mandate, arguing that it infringes on citizens' privacy rights.

The apps privacy policy allows it to make and manage calls, send messages, access call and message logs, view photos and files, and operate the phone's camera. The Internet Freedom Foundation described it as converting "every smartphone sold in India into a vessel for state-mandated software that the user cannot meaningfully refuse, control, or remove."

In response to criticism, India's Minister of Communications Jyotiraditya Scindia stated that users could delete the app if they do not wish to use it. "This is a completely voluntary and democratic system users may choose to activate the app and avail its benefits, or if they do not wish to, they can easily delete it from their phone at any time," he wrote on X. However, it remains unclear how this would be possible if the apps functions cannot be disabled.

Launched in January, Sanchar Saathi allows users to check a device's IMEI, report lost or stolen phones, and flag suspected fraudulent communications. An IMEI, or International Mobile Equipment Identity, is a unique 15-digit code that identifies a mobile device on cellular networks, essentially acting as its serial number. According to the Department of Telecommunications, devices with duplicate or spoofed IMEI numbers pose serious risks to telecom cybersecurity.

The department also highlighted Indias large second-hand phone market, noting cases where stolen or blacklisted devices are resold, potentially making buyers unwitting participants in crime and causing financial losses. Under the new rules, the app must be clearly visible and accessible when setting up a device, and manufacturers must attempt to provide the app via software updates for unsold devices. Companies are required to submit compliance reports within 120 days.

The government maintains that the app will strengthen telecom cybersecurity. Official figures cited by Reuters indicate the app has helped recover over 700,000 lost phones, including 50,000 in October alone. However, experts are concerned about the apps broad permissions and potential for surveillance. Technology analyst Prasanto K Roy noted that the app requests access to numerous phone features, raising questions about its reach.

On Google Play Store, the app claims not to collect or share user data. The Department of Telecommunications has been contacted regarding privacy concerns. Mr. Roy also highlighted the difficulty of compliance, as the mandate conflicts with policies of many handset manufacturers, including Apple, which prohibits pre-sale installation of government or third-party apps. While Android dominates Indias smartphone market, Apple's iOS accounted for an estimated 4.5% of the 735 million smartphones in the country by mid-2025. Apple has not made a public statement but reportedly plans to convey its objections to Indian authorities.

India is not alone in introducing device verification rules. In August, Russia required all phones and tablets sold domestically to come pre-installed with the state-backed MAX messenger app, prompting similar privacy debates.

Author: Sophia Brooks